by June 7, 2004 0 comments

Be it a standalone Net surfer or an enterprise that is providing Web and other services to its customers, the firewall plays an integral role in both the cases. It secures your network from outside as well as internal attacks. It’s therefore essential to have a properly configured firewall. But, many a times it happens that you have a misconfigured firewall due to a human error. This could happen while the administrator is creating or inheriting the firewall rules. The hackers can exploit these rules to gain access to your internal network. So, here is a proof of concept called Firewalk, which can determine the ACL (Access Control List) and find loopholes in the routing table configuration of your firewall. Knowing this, you can fix the loopholes before a hacker finds and exploits them. 

Installing Firewalk
Installing Firewalk is easy and doesn’t require great knowledge of either Linux or networking. But, when it comes to running it, the above statement just gets reversed. So, first let’s see how to install it and then we’ll talk about its usage. 

Applies to: System and security administrators
Assess the vulnerabilities in your firewall configuration 

To install Firewalk, first take this month’s Essential CD and copy the files firewalk.tar.gz and libnet.tar.gz to your home directory. Then, unzip and install them by issuing the following commands.

#tar –zxvf filename.tar.gz
# cd filename
#make && make install

How it works
Firewalk works at two levels. In the first level, if you have used the Linux command traceroute with its switches properly, then you can find similarity in the concept of working of these two. Actually, at this first level of scanning, Firewalk scans the network by generating ICMP TTL (Time to Live) messages and finds the firewall, the way traceroute does. In the second level, Firewalk penetrates the firewall and scans for open ports in any node behind the firewall. 

In normal cases, the TTL tag on the packet is reduced by one, when a gateway routes any IP packet from one network to the 
other. In case of a firewall, it will be routed from an insecure (external) network to a secure (internal) network. When the TTL is zero, the packet is dropped. This concept is used to destroy the packet after a fixed number of hop counts so that it doesn’t rotate endlessly in the network. So, if you send a packet to a secured host sitting inside a firewall from an open port of the firewall with a fixed TTL, the packet will expire just after it crosses the firewall and will present itself as it has been dropped by the firewall itself. That’s how Firewalk fools the firewall and penetrates into it.

Now comes scanning. Firewalk scans the networks in two steps. First, it tries and finds out the last IP before firewalling had taken place. Firewalk does it just like the traceroute command. After the last responding IP is discovered, it then uses this IP as the gateway to send the packet inside the network. Here, you have to know the IP or DNS name of any node sitting inside a network. Most probably in a DMZ (De-militarized Zone), the IP addresses are allocated in a successive sequence to the firewall’s IP address, so it is very easy to guess. Now you have to use this IP address as the Metric, which means that Firewalk will target and scan that particular node for open ports after penetrating the firewall.

How we tested
To check the working of Firewalk, we configured a Linux-based firewall called IPCop (about which we had discussed in the article, IPCop Firewall Appliance, page 90, PCQuest, October 2003). We set up the firewall by assigning to the external network (Red), to the DMZ (Orange) and to the internal network (Green). Now, we connected another Win 2000 machine to the DMZ network and started a Web server on it at port 100. The IP allocated to this Win 2000 machine was After this we created a DMZ pinhole from the firewall and forwarded IP to IP. 

Finally, we are ready to run Firewalk. Connect a laptop, with Firewalk installed, to the external network of the firewall and run the following command.

#firewalk –pTCP

Firewalk started sending TTLed ICMP packages and found a hop in the first attempt. As ours was a small setup with just a single gateway, which is our firewall itself, the hop was found in the first go. After finding it, Firewalk started scanning for open ports on the Web server running in the DMZ and, yes, it found the DMZ pinhole exactly as it was expected. 

Bottomline: We see that with the help of this small tool called Firewalk, you can scan for the ACLs of layer 3/4 firewalls and can even get a rough map of any network inside a firewall.

Anindya Roy

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.