Nmap firewalk NSE Script
This page contains detailed information about how to use the firewalk NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Select: |
---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/firewalk.nse
Script categories: safe, discovery
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Script Description
The firewalk.nse script tries to discover firewall rules using an IP TTL expiration technique known as firewalking.
To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expect to receive an ICMP_TIME_EXCEEDED reply from the gateway next hop router, or eventually the metric itself if it is directly connected to the gateway. Otherwise, the probe will timeout.
It starts with a TTL equals to the distance to the target. If the probe timeout, then it is resent with a TTL decreased by one. If we get an ICMP_TIME_EXCEEDED, then the scan is over for this probe.
Every "no-reply" filtered TCP and UDP ports are probed. As for UDP scans, this process can be quite slow if lots of ports are blocked by a gateway close to the scanner.
Scan parameters can be controlled using the firewalk.*
optional arguments.
From an original idea of M. Schiffman and D. Goldsmith, authors of the firewalk tool.
Firewalk NSE Script Arguments
This is a full list of arguments supported by the firewalk.nse script:
firewalk.max-active-probesMaximum number of parallel active probes.
firewalk.max-probed-portsMaximum number of ports to probe per protocol. Set to -1 to scan every filtered port.
firewalk.max-retriesThe maximum number of allowed retransmissions.
firewalk.probe-timeoutValidity period of a probe (in milliseconds).
firewalk.recv-timeoutThe duration of the packets capture loop (in milliseconds).
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..]
syntax. For example:
nmap --script=firewalk --script-args firewalk.max-active-probes=value,firewalk.max-probed-ports=value <target>
Firewalk NSE Script Example Usage
Here's an example of how to use the firewalk.nse script:
nmap --script=firewalk --traceroute <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>
nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>
Firewalk NSE Script Example Output
Here's a sample output from the firewalk.nse script:
| firewalk:
| HOP HOST PROTOCOL BLOCKED PORTS
| 2 192.168.1.1 tcp 21-23,80
| udp 21-23,80
| 6 10.0.1.1 tcp 67-68
| 7 10.0.1.254 tcp 25
|_ udp 25
Firewalk NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file>
option, Nmap will produce a XML output and save it in the file.xml
file.
Author
- Henri Doreau
References
- https://nmap.org/nsedoc/scripts/firewalk.html
- https://github.com/nmap/nmap/tree/master/scripts/firewalk.nse
See Also
Visit Nmap NSE Library for more scripts.
The firewalk.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Invalid reply to port %d/tcp
Here is a relevant code snippet related to the "Invalid reply to port %d/tcp" error message:
192: table.remove(scanner.active_probes, i)
193: end
194: end
195:
196: else
197: stdnse.debug1("Invalid reply to port %d/tcp", ip2.tcp_dport)
198: end
199: end,
200:
201: --- create a TCP probe packet
202: -- @param host Host object that represents the destination
Invalid reply to port %d/udp
Here is a relevant code snippet related to the "Invalid reply to port %d/udp" error message:
255: table.remove(scanner.active_probes, i)
256: end
257: end
258:
259: else
260: stdnse.debug1("Invalid reply to port %d/udp", ip2.udp_dport)
261: end
262:
263: end,
264:
265: --- create a generic UDP probe packet, with IP ttl and destination port set to zero
Invalid reply to port %d/tcp
Here is a relevant code snippet related to the "Invalid reply to port %d/tcp" error message:
319: table.remove(scanner.active_probes, i)
320: end
321: end
322:
323: else
324: stdnse.debug1("Invalid reply to port %d/tcp", ip2.tcp_dport)
325: end
326: end,
327:
328: --- create a TCP probe packet
329: -- @param host Host object that represents the destination
Invalid reply to port %d/udp
Here is a relevant code snippet related to the "Invalid reply to port %d/udp" error message:
380: table.remove(scanner.active_probes, i)
381: end
382: end
383:
384: else
385: stdnse.debug1("Invalid reply to port %d/udp", ip2.udp_dport)
386: end
387:
388: end,
389:
390: --- create a generic UDP probe packet, with IP ttl and destination port set to zero
Invalid protocol for reply (%d)
Here is a relevant code snippet related to the "Invalid protocol for reply (%d)" error message:
482: local proto_func = proto_vtable[proto2str(ip2.ip_p)]
483: if proto_func then
484: -- mark port as forwarded and discard any related pending probes
485: proto_func.update_scan(scanner, ip, ip2)
486: else
487: stdnse.debug1("Invalid protocol for reply (%d)", ip2.ip_p)
488: end
489: end
490: end,
491: }
492:
Invalid protocol for reply (%d)
Here is a relevant code snippet related to the "Invalid protocol for reply (%d)" error message:
548: local proto_func = proto_vtable[proto2str(ip2.ip_p)]
549: if proto_func then
550: -- mark port as forwarded and discard any related pending probes
551: proto_func.update_scan(scanner, ip, ip2)
552: else
553: stdnse.debug1("Invalid protocol for reply (%d)", ip2.ip_p)
554: end
555: end
556: end,
557: }
558:
Invalid time specification for option: firewalk.recv-timeout (%s)
Here is a relevant code snippet related to the "Invalid time specification for option: firewalk.recv-timeout (%s)" error message:
639: if timespec then
640:
641: RecvTimeout = parse_timespec_ms(timespec)
642:
643: if not RecvTimeout then
644: stdnse.debug1("Invalid time specification for option: firewalk.recv-timeout (%s)", timespec)
645: return false
646: end
647:
648: else
649: -- no value supplied: use default
Invalid time specification for option: firewalk.probe-timeout (%s)
Here is a relevant code snippet related to the "Invalid time specification for option: firewalk.probe-timeout (%s)" error message:
656: if timespec then
657:
658: ProbeTimeout = parse_timespec_ms(timespec)
659:
660: if not ProbeTimeout then
661: stdnse.debug1("Invalid time specification for option: firewalk.probe-timeout (%s)", timespec)
662: return false
663: end
664:
665: else
666: -- no value supplied: use default
Version
This page has been created based on Nmap version 7.92.
Go back to menu.