لطفا منتظر باشید ...
Firewalk in Practice
Firewalk, when invoked with no arguments, dumps its usage:
tradecraft: ~# ./firewalk
Firewalk 5.0 [gateway ACL scanner]
Usage : ./firewalk [options] target_gateway metric
[-d 0 - 65535] destination port (ramping phase)
[-h] program help
[-i device] interface
[-n] do not resolve IP addresses into hostnames
[-p TCP | UDP] firewalk protocol
[-r] strict RFC adherence
[-S x - y, z] port range to scan
[-s 0 - 65535] source port
[-T 1 - 1000] packet read timeout in ms
[-t 1 - 25] IP time to live
[-v] program version
[-x 1 - 8] expire vector
The arguments are all optional with the exception of the target_gateway and metric hosts. The -d switch enables the user to choose a different destination port for the ramping phase (which defaults to the traceroute starting port, 33434). The -i switch enables the user to specify an alternative interface. The -n switch prevents Firewalk from resolving IP addresses into hostnames, which might increase performance by eliminating time-consuming DNS lookups. The -p switch specifies the protocol to scan with during the scanning phase. As of version 5.0, Firewalk only supports UDP and TCP, defaulting to UDP. The -r switch enables strict RFC standards adherence (described next). The -S switch enables the user to specify an alternative port list to scan for the scanning phase (the default is 1-130,139,1025). The -s switch enables the user to specify a different source port to scan with for both phases (the default is 53). The -T switch enables the user to specify a timeout that Firewalk will wait for packets to return (the default is 2). The -T switch enables the user to preload an IP TTL value. For example, if the user knew that the target_gateway was eight hops out, he or she might want to start the scan with "-t 8" in order to eliminate the initial ramping phase-thus moving to the scanning phase quicker. The -x switch is more of an advanced parameter that enables the user to tune how many hops from the target_gateway the binding host is.A sample UDP-based invocation of Firewalk is as follows:
tradecraft: ~# ./firewalk -n -pUDP -Sl-10,123,161 172.16.18.2
192.168.36.1
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
UDP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 172.16.18.2 using 192.168.36.1 as a metric.
Ramping Phase:
1 (TTL 1): expired [10.0.0.1]
2 (TTL 2): expired [10.0.1.1]
3 (TTL 3): expired [10.0.2.1]
4 (TTL 4): expired [10.0.9.2]
5 (TTL 5): expired [10.44.20.1]
6 (TTL 6): expired [10.44.22.1]
7 (TTL 7): expired [172.16.18.2]
Binding host reached.
Scan bound at 8 hops.
Scanning Phase:
port 1: open (expired) [172.16.20.2]
port 2: open (expired) [172.16.20.2]
port 3: open (expired) [172.16.20.2]
port 4: open (expired) [172.16.20.2]
port 5: open (expired) [172.16.20.2]
port 6: open (expired) [172.16.20.2]
port 7: open (expired) [172.16.20.2]
port 8: open (expired) [172.16.20.2]
port 9: open (expired) [172.16.20.2]
port 10: open (expired) [172.16.20.2]
port 123: *no response*
port 161: open (expired) [172.16.20.2]
Total packets sent; 19
Total packet errors: 0
Total packets caught 23
Total packets caught of interest 19
Total ports scanned 12
Total ports open: 11
Total ports unknown: 0
As we can see, Firewalk reached the target gateway at seven hops and bound the scan at eight hops. During scanning, Firewalk found that port 123, (NTP) was filtered and that the rest of the probes were passed through the tar get gateway. Another sample invocation of Firewalk is as follows:
tradecraft: # ./firewalk -n 10.0.10.1 10.33.10.29
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
UDP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 10.0.10.1 using 10.33.10.29 as a metric.
Ramping Phase:
1 (TTL 1): expired [10.20.19.1]
2 (TTL 2): expired [10.20.44.1]
3 (TTL 3): expired [10.30.0.10]
4 (TTL 4): expired [10.33.9.9]
5 (TTL 5): terminal (unreach ICMP_UNREACH_PORT) [10.33 10.29]
scan aborted: metric responded before target; must not be en route.
Total packets sent: 5
Total packet errors: 0
Total packets caught 10
Total packets caught of interest 5
Total ports scanned 0
Total ports open: 0
Total ports unknown: 0
Firewalk tried its hardest to reach the target gateway to bind the scan, but it just was not in the cards. The metric responded before the target gateway and ended the scan. The solution here is to either find a different metric or to move the Firewalk scanner to a physically different location that might place the target gateway en route by using that metric. Another UDP-based scan is as follows:
tradecraft: ~# ./firewalk -n -s20-25,53,80 172.31.234.82 172.31.254.20
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
UDP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 172.31.234.82 using 172.31.254.20 as a metric.
Ramping Phase:
1 (TTL 1): expired [10.20.19.1]
2 (TTL 2): expired [10.20.44.1]
3 (TTL 3): expired [10.30.0.10]
4 (TTL 4): expired [10.33.9.9]
5 (TTL 5): expired [10.161.124.53]
6 (TTL 6): expired [10.228.44.49]
7 (TTL 7): expired [10.232.3.137]
8 (TTL 8): expired [20.181.1.133]
9 (TTL 9): expired [192.168.14.162]
10 (TTL 10): expired [192.168.14.121]
11 (TTL 11): expired [192.168.5.99]
12 (TTL 12): expired [192.168.5.123]
13 (TTL 13): expired [192.168.5.113]
14 (TTL 14): expired [192.168.30.14]
15 (TTL 15): expired [192.168.30.142]
16 (TTL 16): expired [172.22.229.229]
17 (TTL 17): expired [172.22.228.129]
18 (TTL 18): expired [172.22.230.254]
19 (TTL 19): expired [172.22.230.121]
20 (TTL 20): expired [172.22.230.118]
21 (TTL 21): expired [172.22.230.158]
22 (TTL 22): expired [172.22.119.229]
23 (TTL 23): expired [172.31.200.230]
24 (TTL 24): expired [172.31.234.158]
25 (TTL 25): expired [172.31. 234.82]
Binding host reached.
Scan bound at 26 hops.
Scanning Phase:
port 20: A! unknown (unreach ICMP_UNREACH_PORT) [172.31.254.20]
port 21: A! unknown (unreach ICMP_UNREACH_PORT) [172.31.254.20]
port 22: A! unknown (unreach ICMP_UNREACH_PORT) [172.31.254.20]
port 23: A! unknown (unreach ICMP_UNREACH_PORT) [172.31.254.20]
port 24: A! unknown (unreach ICMP_UNREACH_PORT) [172.31.254.20]
port 25: A! unknown (unreach ICMP_UNREACH_PORT) [172.31.254.20]
port 53: *no response*
port 80: A! unknown (unreach ICMP_UNREACH_PORT) [172.31.254.20]
Scan completed successfully.
Total packets sent: 33
Total packet errors: 0
Total packets caught 65
Total packets caught of interest 32
Total ports scanned 8
Total ports open: 0
Total ports unknown: 7
This time, Firewalk had a ways to go (25 hops) before reaching the target gateway and binding the scan. Also of note is the fact that Firewalk determined that the target gateway and metric hosts were adjacent to each other (Firewalk displays the A! when it figures this situation out). This situation enables Firewalk to perform a rudimentary portscan on the metric (assuming that the probes are passed by the target gateway). As we discussed in Chapter 9, however, when a host receives an arbitrary UDP packet, it will either return an ICMP port as unreachable if the port is closed or it will drop the packet if the port is open. This situation is what we see. Probes to ports 20-25 and 80 are accepted through the target gateway and are found to be closed on the metric (the ICMP port unreachable message confirms this scenario). Port 53 (DNS) is an unknown quantity because no response was received. If we assume that the probe was passed by the target gateway, we can assume that the port is open. Constructing a legitimate DNS query would be the only way to confirm it.Another invocation of Firewalk using the same hosts, this time TCP-based, is as follows:
tradecraft: ~# ./firewalk -n -S20-25, 80 172.31.234.82 172.31.254.20
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 172.31.234.82 using 172.31.254.20 as a metric.
Ramping Phase:
1 (TTL 1): expired [10.20.19.1]
2 (TTL 2): expired [10.20.44.1]
3 (TTL 3): expired [10.30.0.10]
4 (TTL 4): expired [10.33.9.9]
5 (TTL 5): expired [10.161.124.53]
6 (TTL 6): expired [10.228.44.49]
7 (TTL 7): expired [10.232.3.137]
8 (TTL 8): expired [20.181.1.133]
9 (TTL 9): expired [192.168.14.162]
10 (TTL 10): expired [192.168.14.121]
11 (TTL 11): expired [192.168.5.99
12 (TTL 12): expired [192.168.5.123]
13 (TTL 13): expired [192.168.5.113]
14 (TTL 14): expired [192.168.30.14]
15 (TTL 15): expired [192.168.30.142]
16 (TTL 16): expired [172.22.229.229]
17 (TTL 17): expired [172.22.228.129]
18 (TTL 18): expired [172.22.230.254]
19 (TTL 19): expired [172.22.230.121]
20 (TTL 20): expired [172.22.230.118]
21 (TTL 21): expired [172.22.230.158]
22 (TTL 22): expired [172.22.119.229]
23 (TTL 23): expired [172.31.200.230]
24 (TTL 24): expired [172.31.234.158]
25 (TTL 25): expired [172.31.234.82]
Binding host reached.
Scan bound at 26 hops.
Scanning Phase:
port 20: A! open (port not listen) [172.31.254.20]
port 21: A! open (port not listen) [172.31.254.20]
port 22: A! open (port listen) [172.31.254.20]
port 23: A! open (port not listen) [172.31.254.20]
port 24: A! open (port not listen) [172.31.254.20]
port 25: A! open (port listen) [172.31.254.20]
port 80: A! open (port listen) [172.31.254.20]
Scan completed successfully.
Total packets sent: 32
Total packet errors: 0
Total packets caught 64
Total packets caught of interest 30
Total ports scanned 7
Total ports open: 7
Total ports unknown: 0
Again, Firewalk detected the adjacent host situation, but this time—because it was configured to scan by using TCP—Firewalk can be more confident with its results. Firewalk could not only pass all of the probes through the target gateway but also port scan the metric and determine that port 23 (telnet), port 25 (SMTP), and port 80 (HTTP) were open.
