firewalk
脚本使用类型:
hostrule
脚本所属分类:
safe, discovery
脚本下载地址: http://nmap.org/svn/scripts/firewalk.nse
Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.
To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expect to receive an ICMP_TIME_EXCEEDED reply from the gateway next hop router, or eventually the metric itself if it is directly connected to the gateway. Otherwise, the probe will timeout.
It starts with a TTL equals to the distance to the target. If the probe timeout, then it is resent with a TTL decreased by one. If we get an ICMP_TIME_EXCEEDED, then the scan is over for this probe.
Every "no-reply" filtered TCP and UDP ports are probed. As for UDP scans, this process can be quite slow if lots of ports are blocked by a gateway close to the scanner.
Scan parameters can be controlled using the firewalk.*
optional arguments.
From an original idea of M. Schiffman and D. Goldsmith, authors of the firewalk tool.
maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.
the maximum number of allowed retransmissions.
the duration of the packets capture loop (in milliseconds).
maximum number of parallel active probes.
validity period of a probe (in milliseconds).
执行格式
nmap --script=firewalk --traceroute <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>
nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>
| firewalk: | HOP HOST PROTOCOL BLOCKED PORTS | 2 192.168.1.1 tcp 21-23,80 | udp 21-23,80 | 6 10.0.1.1 tcp 67-68 | 7 10.0.1.254 tcp 25 |_ udp 25
Author: Henri Doreau
License: VER007 整理 http://www.ver007.com
firewalk entry point
host rule, check for requirements before to launch the script