About Firewalking:

  • It portscans a system behind a firewall without ever actually connecting to that system.
  • It does not list the ports that are open, like a typical portscan would.
  • It lists ports for that system that are allowed to communicate through the firewall.
  • The scanner sends packets with a Time-To-Live (TTL) set to expire one step past the firewall.
  • If the hacker receives an ICMP TTL Expired message for a port, then that port is allowed to communicate through the firewall.

Because the hacker never touches the system, firewalking is not recorded in the system's logs.