Tool Review: Firebind Reflector Walk-Through

I’m providing a walk-through of Firebind to go along with the overview that Joe has provided here.

In this scenario, we are using Firebind Reflector to test between internal subnets. To get started using Firebind Reflector, run the Java executable from the network host that will be doing the “reflecting.”

Launching Firebind from the command line.

Note that the Reflector does require Internet access, to check the license and timestamp against an external server.

License activation notice

Once Reflector is up and running, point your browser to the IP address where it resides and start your scans. There is a script repository on GitHub provided by the Firebind team so that you can start scanning right away. You can choose to use these payloads, or you can develop your own within the tool.

Connect to the reflector via web browser.

To run a scan, simply click on “Scan Applet”, enter the ports you want to test (in this case 5060-5070) and the protocol (HTTP)

Initiating a Scan

Once the scan is completed, Firebind will let you know which ports were open or closed. For this scan, ports 5065-5070 are being blocked by a firewall.

Results of a scan for ports 5065-5070.

When we run the scan once more with the firewall disabled, we get the following.

Scan Results for Ports that Failed to Connect


  • Custom payloads – useful for testing DLP systems
  • Quick and efficient; multi-threaded
  • In the cloud (scalable/high-availability for Firebind Connect)
  • Standalone and portable (Firebind Reflector)
  • Mesh configuration allows for full network egress visibility on one dashboard
  • Establishes 3-way TCP handshakes with custom payloads
  • RESTful API with multiple export options


  • In the cloud (3rd party vendor has client info for Firebind Connect/Recon)
  • Requires Internet access to activate Reflectors
  • Lacks command line options to mirror the GUI, for scripting etc (we understand this is in the works)
  • Relies on Java being installed

Firebind provides a very easy way to verify whether or not a device is be able to do what it was intended to do. It also does more than a simple TCP handshake connection like other client-only scanning solutions. By sending custom payloads over any port and “reflecting” the results, the tool is very customizable and powerful. A single instance of Reflector can handle hundreds of simultaneous clients, all performing full 65k TCP and/or UDP port tests. The client can be configured to wait any number of seconds for a reply (“Port Timeout”), and if that timer expires, the client can issue a “skip” command to Reflector to tell it to move to the next port, making it very fast and nimble. The trial version requires an Internet connection, so it may not be suitable for closed environments. The command-line options for the tool were not reviewed.