Nmap firewalk NSE Script


This page contains detailed information about how to use the firewalk NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:
Overview
Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/firewalk.nse
Script categories: safe, discovery
Target service / protocol: -
Target network port(s): -
List of CVEs: -

Script Description

The firewalk.nse script tries to discover firewall rules using an IP TTL expiration technique known as firewalking.

To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expect to receive an ICMP_TIME_EXCEEDED reply from the gateway next hop router, or eventually the metric itself if it is directly connected to the gateway. Otherwise, the probe will timeout.

It starts with a TTL equals to the distance to the target. If the probe timeout, then it is resent with a TTL decreased by one. If we get an ICMP_TIME_EXCEEDED, then the scan is over for this probe.

Every "no-reply" filtered TCP and UDP ports are probed. As for UDP scans, this process can be quite slow if lots of ports are blocked by a gateway close to the scanner.

Scan parameters can be controlled using the firewalk.* optional arguments.

From an original idea of M. Schiffman and D. Goldsmith, authors of the firewalk tool.

Firewalk NSE Script Arguments

This is a full list of arguments supported by the firewalk.nse script:

firewalk.max-active-probes

Maximum number of parallel active probes.

firewalk.max-probed-ports

Maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.

firewalk.max-retries

The maximum number of allowed retransmissions.

firewalk.probe-timeout

Validity period of a probe (in milliseconds).

firewalk.recv-timeout

The duration of the packets capture loop (in milliseconds).

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=firewalk --script-args firewalk.max-active-probes=value,firewalk.max-probed-ports=value <target>

Firewalk NSE Script Example Usage

Here's an example of how to use the firewalk.nse script:

nmap --script=firewalk --traceroute <host>

nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>

nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>

nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>

Firewalk NSE Script Example Output

Here's a sample output from the firewalk.nse script:

| firewalk:
| HOP HOST         PROTOCOL  BLOCKED PORTS
| 2   192.168.1.1  tcp       21-23,80
|                  udp       21-23,80
| 6   10.0.1.1     tcp       67-68
| 7   10.0.1.254   tcp       25
|_                 udp       25

Firewalk NSE Script Example XML Output

There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.

Author

  • Henri Doreau

References

See Also

Visit Nmap NSE Library for more scripts.

The firewalk.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

Invalid reply to port %d/tcp

Here is a relevant code snippet related to the "Invalid reply to port %d/tcp" error message:

192:	          table.remove(scanner.active_probes, i)
193:	        end
194:	      end
195:	
196:	    else
197:	      stdnse.debug1("Invalid reply to port %d/tcp", ip2.tcp_dport)
198:	    end
199:	  end,
200:	
201:	  --- create a TCP probe packet
202:	  -- @param host Host object that represents the destination

Invalid reply to port %d/udp

Here is a relevant code snippet related to the "Invalid reply to port %d/udp" error message:

255:	          table.remove(scanner.active_probes, i)
256:	        end
257:	      end
258:	
259:	    else
260:	      stdnse.debug1("Invalid reply to port %d/udp", ip2.udp_dport)
261:	    end
262:	
263:	  end,
264:	
265:	  --- create a generic UDP probe packet, with IP ttl and destination port set to zero

Invalid reply to port %d/tcp

Here is a relevant code snippet related to the "Invalid reply to port %d/tcp" error message:

319:	          table.remove(scanner.active_probes, i)
320:	        end
321:	      end
322:	
323:	    else
324:	      stdnse.debug1("Invalid reply to port %d/tcp", ip2.tcp_dport)
325:	    end
326:	  end,
327:	
328:	  --- create a TCP probe packet
329:	  -- @param host Host object that represents the destination

Invalid reply to port %d/udp

Here is a relevant code snippet related to the "Invalid reply to port %d/udp" error message:

380:	          table.remove(scanner.active_probes, i)
381:	        end
382:	      end
383:	
384:	    else
385:	      stdnse.debug1("Invalid reply to port %d/udp", ip2.udp_dport)
386:	    end
387:	
388:	  end,
389:	
390:	  --- create a generic UDP probe packet, with IP ttl and destination port set to zero

Invalid protocol for reply (%d)

Here is a relevant code snippet related to the "Invalid protocol for reply (%d)" error message:

482:	      local proto_func = proto_vtable[proto2str(ip2.ip_p)]
483:	      if proto_func then
484:	        -- mark port as forwarded and discard any related pending probes
485:	        proto_func.update_scan(scanner, ip, ip2)
486:	      else
487:	        stdnse.debug1("Invalid protocol for reply (%d)", ip2.ip_p)
488:	      end
489:	    end
490:	  end,
491:	}
492:

Invalid protocol for reply (%d)

Here is a relevant code snippet related to the "Invalid protocol for reply (%d)" error message:

548:	      local proto_func = proto_vtable[proto2str(ip2.ip_p)]
549:	      if proto_func then
550:	        -- mark port as forwarded and discard any related pending probes
551:	        proto_func.update_scan(scanner, ip, ip2)
552:	      else
553:	        stdnse.debug1("Invalid protocol for reply (%d)", ip2.ip_p)
554:	      end
555:	    end
556:	  end,
557:	}
558:

Invalid time specification for option: firewalk.recv-timeout (%s)

Here is a relevant code snippet related to the "Invalid time specification for option: firewalk.recv-timeout (%s)" error message:

639:	  if timespec then
640:	
641:	    RecvTimeout = parse_timespec_ms(timespec)
642:	
643:	    if not RecvTimeout then
644:	      stdnse.debug1("Invalid time specification for option: firewalk.recv-timeout (%s)", timespec)
645:	      return false
646:	    end
647:	
648:	  else
649:	    -- no value supplied: use default

Invalid time specification for option: firewalk.probe-timeout (%s)

Here is a relevant code snippet related to the "Invalid time specification for option: firewalk.probe-timeout (%s)" error message:

656:	  if timespec then
657:	
658:	    ProbeTimeout = parse_timespec_ms(timespec)
659:	
660:	    if not ProbeTimeout then
661:	      stdnse.debug1("Invalid time specification for option: firewalk.probe-timeout (%s)", timespec)
662:	      return false
663:	    end
664:	
665:	  else
666:	    -- no value supplied: use default

Version

This page has been created based on Nmap version 7.92.

Go back to menu.