Firewall Exploits & Firewalking

So for this week, we looked at the concept of firewalking. Firewalking means that you are able to map the firewalls ACL quite stealthy using different tools like:  Traceroute, Hping2 (and3) and various Nmap scripts. Traceroute though is more to determine “where” the firewall is located and maybe what the WAN IP address of the firewall is. But if ICMP is blocked you will not get a firewall IP but instead you will get the IP of the hop in front of the firewall. And you will need to work your way from there. This is a process we have not yet investigated. But will do in the near future.

The PDF Advanced Penetration Testing for Highly-Secured Environments is a nice beginner’s guide for trying to understand the concept of firewalking and in chapter 8 there is a nice setup for testing and tinkering.
The rest of this blog post will feature this setup.


This setup is made partly in VMware, pfsense and the client machines are in VMware and the firewalk machine is running on a non-virtual backtrack OS.


First of we will try the Hping approach. This specific Hping is trying to determine which ports are open by starting at port 1 and incrementing by 1 for each try until it reaches port 80. This is easily avoided by
blocking ICMP on the pfsense firewall.
Now by evoking this nmap script command:  nmap –script=firewalk –traceroute  we are now able to Traceroute to a “known” host behind the firewall.


As you can see we used port 443 to determine the Trace.
This is a really loud way of going by your business and the System Log on Pfsense should pop with tcp syn package from
So the next thing to figure out is how to get stealthy.

Bonus info on getting stealthy. The Paper on that is: Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking.


This is the firewall program that we installed on our backtrack machine. It needed some configuration in some of the files in order to get it running. In this example we are using port 21 which is open on the firewall to scan the ACL on the pfsense from the inside. It needs a host IP on the inside which is pretty easy to guess. It will much likely be in the private IP range. Then you need the wan IP of the firewall. The interesting part of this scan is that it is really stealthy. It uses a port that is open to gain access to the inside of the network and then does the port scan from the inside. That means there will not be any unusual traffic through or on the outside of the firewall. The solution to avoid this should be to enable NAT. We will be looking into this in more details later on.

Many questions need answering and hopefully we will have those answers at the exam.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s