firewalking ?

Viewing 8 reply threads
  • Author
    Posts
    • #3798
      Anonymous
      Participant

      Hello, this the my first topic:  🙂
        I would like to know about firewallking, and google doesn’t want to help me, I have read that that it is used to test ACLs and firewalls, but how? is it a “popular” technique ? And the site of the firewalk is down  🙁
       

    • #24278
      hayabusa
      Participant

      Here’s a link to what firewalking is actually meant for:

      http://articles.techrepublic.com.com/5100-10878_11-5055357.html

      Basically, the idea of firewalking is to send traffic with increased TTL (time to live) to they’ll try to go PAST the firewall.  This is effective in that, if a port is open on the firewall, you can get past the firewall, and enumerate services running on servers / machines sitting in the DMZ, or on the production network (if the DMZ isn’t properly configured, or is not being used.)

      It IS a popular technique, and I use it all the time, as do others, in testing the effectiveness of ACL’s.  Basically, you’ll quickly find out if ACL’s are only allowing traffic to the proper hosts behind the firewall, if they’re blocking the traffic, or if they’re not stopping anything, at all, and you start seeing responses from systems that SHOULDN’T be accessible from the public firewall / router interfaces.

      It can be handy, as sometimes, you’ll find a vulnerable machine / service sitting in there, that you wouldn’t normally find through ‘traditional’ port scans and others, and it allows you to ‘map out’ the dmz, etc.

      HTH.

    • #24279
      hayabusa
      Participant

      Additionally, here’s another useful link for firewall testing, which talks about firewalking, nmap and a few other tools for use in the process:

      http://www.vesaria.com/Firewall/Testing/eye_of_hacker.php

    • #24280
      Anonymous
      Participant

      Great I see that It is a technique that must or should be used as a complement with of an nmap scan

    • #24281
      timmedin
      Participant

      As an aside, the countermeasure for this is to disable outbound ICMP_TIME_EXCEEDED or just icmp in general.

    • #24282
      unsupported
      Participant

      @timmedin wrote:

      As an aside, the countermeasure for this is to disable outbound ICMP_TIME_EXCEEDED or just icmp in general.

      If you disable the outbound ICMP you would also effect the internal users wanting to get out.  Is it an option to disable the inbound ICMP?  Granted, this would still allow an attacker internally from firewalking from an internal server to see what outbound ports are available on the firewall.

    • #24283
      timmedin
      Participant

      Blocking outbound ICMP won’t have any affect on non-admin users. They aren’t going to be using ping or any of the other ICMP functionality. They receive ICMP responses, but shouldn’t send any ICMP messages.

    • #24284
      Anonymous
      Participant

      I see that the common thing to do is to block only incoming traffic from the outside and let all the outgoing icmp pass

    • #24285
      Jhaddix
      Participant

      The Packetstorm page has the tools and guides for all things firewalk:

      http://www.packetstormsecurity.org/UNIX/audit/firewalk/

      =)

Viewing 8 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?