Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.
To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expect to receive an ICMP_TIME_EXCEEDED reply from the gateway next hop router, or eventually the metric itself if it is directly connected to the gateway. Otherwise, the probe will timeout.
It starts with a TTL equals to the distance to the target. If the probe timeout, then it is resent with a TTL decreased by one. If we get an ICMP_TIME_EXCEEDED, then the scan is over for this probe.
Every "no-reply" filtered TCP and UDP ports are probed. As for UDP scans, this process can be quite slow if lots of ports are blocked by a gateway close to the scanner.
Scan parameters can be controlled using the
From an original idea of M. Schiffman and D. Goldsmith, authors of the firewalk tool.
maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.
the maximum number of allowed retransmissions.
the duration of the packets capture loop (in milliseconds).
maximum number of parallel active probes.
validity period of a probe (in milliseconds).
nmap --script=firewalk --traceroute <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>
nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>
| firewalk: | HOP HOST PROTOCOL BLOCKED PORTS | 2 192.168.1.1 tcp 21-23,80 | udp 21-23,80 | 6 10.0.1.1 tcp 67-68 | 7 10.0.1.254 tcp 25 |_ udp 25
License: Same as Nmap--See https://nmap.org/book/man-legal.html