Information Gatheringreconnaissancenetworkfirewallaclscannertcpudp

Firewalk

Firewalk is an active reconnaissance network security tool that determines what layer 4 protocols a given IP forwarding device will pass. It helps assess the security configuration of packet filtering devices like firewalls.

Description

Firewalk is an active reconnaissance network security tool designed to identify what TCP or UDP protocols a gateway or firewall will allow through. It is particularly useful for network security assessments, such as penetration tests, where understanding firewall rules and ACLs is crucial.

The tool works by sending packets with manipulated TTL values to map the network path and detect filtering behavior. It does not require reaching the ultimate destination host, only that it is downstream from the gateway being tested. This makes it efficient for probing firewall configurations without deep network traversal.

Firewalk is relevant for pentests and security audits of packet filtering devices, providing insights into open ports and protocol permissions beyond the gateway.

How It Works

Firewalk sends TCP or UDP packets with a TTL one hop greater than the targeted gateway. If allowed, the gateway forwards them to the next hop where they expire, eliciting an ICMP_TIME_EXCEEDED message. If dropped, no response is received. It ramps up hop counts like traceroute to find the correct TTL for packets to expire one hop beyond the gateway. Once bound to the gateway hop count, it scans specified ports, analyzing responses to determine open ports or filtering.

Installation

bash

sudo apt install firewalk

Flags

-d 0 - 65535destination port to use (ramping phase)

-hprogram help

-i deviceinterface

-ndo not resolve IP addresses into hostnames

-p TCP | UDPfirewalk protocol

-rstrict RFC adherence

-S x - y, zport range to scan

-s 0 - 65535source port

-T 1 - 1000packet read timeout in ms

-t 1 - 25IP time to live

-vprogram version

-x 1 - 8expire vector

Examples

Scan ports 8079-8081 through the eth0 interface, do not resolve hostnames, use TCP via the gateway 192.168.1.1 against the target IP 192.168.0.1

firewalk -S8079-8081 -i eth0 -n -pTCP 192.168.1.1 192.168.0.1

Display program help and usage information

firewalk --help

Perform TCP scan through eth0 interface using gateway 192.168.1.1 and metric 192.168.0.1 with default ports

firewalk -i eth0 -pTCP 192.168.1.1 192.168.0.1

Scan UDP ports 80 and 443 without hostname resolution via gateway 10.0.0.1 to metric 10.1.0.1

firewalk -S80,443 -n -pUDP 10.0.0.1 10.1.0.1

TCP scan through wlan0 interface with TTL 10 via gateway 192.168.1.1 to metric 192.168.2.1

firewalk -i wlan0 -pTCP -t 10 192.168.1.1 192.168.2.1

Scan first 1024 TCP ports without resolution and 500ms timeout via gateway 172.16.1.1 to metric 172.16.2.1

firewalk -S1-1024 -n -pTCP -T 500 172.16.1.1 172.16.2.1

Strict RFC UDP scan via gateway 192.168.1.254 to metric 192.168.0.254

firewalk -r -pUDP 192.168.1.254 192.168.0.254

Updated 2026-04-16kali.org ↗