We also can engage in what's known as firewalking. Firewalking is a technique as we talk about here that let's us do network mapping but uses the concept of what's known as traceroute, which is a program that we can use that will look at the hop count. Hops are moving from one machine or one connectivity gateway or device to another. So from myself, if I go and I go to the router, the default gateway on my local network, that's a single hop. Through that router to the next router is another hop. And so on and so on down the road until I get to where I want to be. We're mapping out the hops by pinging walking through the connection trail. Looking at each response at each stop on the highway there, marking it down and saying, that's the next stop. That's hop four, that's hop five, etc. In Windows, you can go to a command line. You can use the trace route program or tracer to be able to do this. There are third party programs that do this. It's a common networking tool. Using tracer route, we can discover which services are filtering, acting as firewalls, acting as routers, things like that. And we can map out where our ping trail will effectively end. Because if we ping a common front end gateway address or a common domain name like www.ic2.org, and we see how far from our machine internally, we can go as we try to walk through that system. We'll be able to map out and get a sense of all the connection points, all the hops in between, and that's exactly what firewalking is. If we take a look at how this will work, we can do the following. So if we want to understand how it will work, we can add a Windows command prompt, as you see here. Just type in the word tracer, that's the name of the program in Windows. If we do a /?, we'll be able to get the little help file. We'll be able to see what's going on there. We've got some different switches. Your D do not resolve host names or addresses to host names. H, maximum hop count, things like that. So if we did something like www.isc2.org, and we did that, and we wait. It'll go out for a maximum of 30 hops, so it may take a minute or two to figure that out depending on where we are and how quickly it will happen. You'll see that we can begin to walk from our IP address at the top of the line right here 1921681.1, that's my machine locally. We're tracing to the resolved IP address 4ise2.org 68.177.216.201, that's the IP address to the web server that is hosting isc2.org website. And you see we're tracing through that, and so far it's taking eight hops and we've gone that far. We are awaiting on hop number nine now. Now we can see some interesting things about this. We'll let this just play out for a minute just to make sure we're done, because I think we may actually wind up being done here. But let's just give it a chance. We may have hit the firewall. And it looks like we probably have, so let's just let that go across, and then we're going to break that real quick. And I'm going to just quickly show you something here. I'm just going to use Ctrl+C to break that stop it, because it'll go on for another 20 or so hops, getting nothing before it finalizes and times out. But what it shows us is that we go from our local machine out to whatever our provider's gateway is. And we could see some information about it, Tampa, Florida. And then from Tampa, Florida Verizon.gni.net. We're moving through the Verizon network. We hit a time outline here where there probably was either a dropped packet or the interim hop between the two for some reason was not responding. And then we are moving into Miami. So we're going down to Miami on alter.net. We're then resolving to an IP device, some sort of gateway, most likely. We're then moving back into inet.qwest.net, back up to, let's see here. Yeah, so there, and then from there, we're jumping into what looks like 62.236.49.148. That is most likely going to be a gateway device of some kind that is on the network where the web server is, but it's a border device that is effectively blocking inbound ping requests or trace requests at that point that could be from the ISP most likely don't know for sure. But what we know is that we can go through a total of eight hops before our request is stopped. This alone gives me some valuable information potentially with firewalk. Here's what it tells me is that this device right here, just mark that so you can see that, that device right there is going to be the gatekeeper. That´s the device that the web server sits behind, and I´m not sure what that device is, but I know it´s probably some sort of firewall, it maybe a router, maybe some sort of bordered gateway system, but that´s not going to allow me to go any further if I want to get to that web server. That could be the front end to the DMZ. We'd have to do more probing to figure it out. But I know some valuable information now. I know the IP address of the web server. I know that it sits behind a device somewhere in this area. And I have a general idea of the path that I took to get there. So I can start to geolocate and figure out where the system is hosted. I may want to know that because I may want to see if I can get into the data center and gain access to it that way. There's all these different things I may do when I'm going through and attempting to do the planning and the reconnaissance before I actually engage in the attack. So this is how firewalking would work. And this is one of the ways, again, in which we can do network mapping. In Phase three, Information Evaluation and Risk Analysis. Remember we're still gathering, right? Pulling all these stuff in, getting it on the table, putting it in a basket, organizing it, getting it ready so when we go active in phase four, right, where we're going to go in and we're actually going to start taking advantage of all these information, we're prepared, right? The Boys' Scout motto, always be prepared. So an information evaluation and risk analysis before active penetration, we're going to evaluate the findings, do a risk analysis on all the information we've gathered. What's the likelihood we'll be successful over here, well, it looks like we'll be pretty successful at this point over here. We definitively know this information. We're totally guessing about this thing over here, we have no clue out. Probably shouldn't pay any attention to it. Chances are good that it's just not going to be good for us. It's going to be a waste of our time. We're going to go ahead and we're going to take a look at stuff. And we're going to try to prioritize our activities so that with the least amount of effort and the least likelihood of being exposed, we can maximize the return on the investment and gain advantage. That's what we're doing in phase three.
