AOs,
I thought I could write a tiny tut about one firewall subject of interest: Firewalking
"Hackers know the weaknesses of your system. Shouldn't you "


What's Firewalking?
It's a technique that aims to determine a firewall ruleset from an external stand point.

Traceroute details:
Traceroute is based on a TTL assumption: If a a router packet sees a packet which has its TTL expiring the router will drop the packet and send an ICMP Time_Exceeded (with its IP source address). Most ISP routers allows ICMP Time_Exceeded packet generation.
The Traceroute principle is based on ICMP "hop ramping":

- to send a first packet with TTL=1 to the destination host/network the first router that route that packcet will set the TTL=0 , then drop the packet and finaly generate the ICMP Time_Exceeded to traceroute source host
=> IP address of the first router between the target and the orrigin
- to send a first packet with TTL=2 to the destination host/network the first router that route that packcet will set the TTL=1 , the second router will set the TTL =0 , then drop the packet and finaly generate the ICMP Time_Exceeded to traceroute source host
=> IP address of the first router between the target and the orrigin
- ......
- until the host reply by a ICMP Time_Exceeded itself or that no more packet are sent to the origin (because of a firewall)

Firewalking Principle:
The principle is very simple: it's similar to traceroute principle but enhanced with TCP/UDP signalling packets.

The firewalking technique needs 2 input information:
1- the gateway IP@ of the gateway just before the firewall
2- an obviously an host IP address protected by the firewall

the hop ramping technique allows to determine the IP address of the last gateway.
Then a TCP/UDP port scan can be performed with the TTL vlue deduced from the "hop ramping" for each ICMP Time_Exceeded reply the associated port will be considered as opened. If no reply is received then the port migh be close.
This can be coupled with classical RST or SYN nmap probes to give aclear view of what the firewall is protecting to.
Of course an adminisatrator aware of that technique my takes contermeasure to mitigate the firewalking.

Implemented open source and more detailed information:
http://www.packetfactory.net/firewalk/

I hope those info may open some network admins eyes.