Firewall Wizards mailing list archives
Re: FIN scanning
From: "Bill Pennington" <bpennington () lucidnetworks com>
Date: Wed, 17 Nov 1999 16:06:21 -0800
You are really only trying to avoid detection when using FIN scanning. You can then go back and manually query the ports you find in a way that (hopefully) does not set off an IDS. Bill Pennington Consultant Lucid NetworX ----- Original Message ----- From: Michael B. Rash <mbr () math umd edu> To: <firewall-wizards () nfr net> Sent: Tuesday, November 16, 1999 10:20 AM Subject: FIN scanning
I am using nmap (which is a great program BTW; thank you Fyodor) to scan a host and the -sF option conducts a FIN (stealth) scan against the target which of course comes back with _many_ more "open" ports than the vanilla connect() scans. "Open" here means that a RST was not received in response to the FIN packet. My question is this: since mounting an application layer exploit against a box will require that you can communicate over some port with regular connect() calls, what good are FIN scans? You may identify ports that are 'open' with respect to FIN packets, but to actually mount an exploit against a machine/application (other than some odd-ball FIN DoS attack or something), you will need to use connect() calls anyway so why not simply use vanilla TCP connect() scanning instead? Note that doing some preliminary searching on bugtraq and couple of other sources come up with no exploits using FIN packets. All references seem to point to using FIN packets exclusively for scanning. What am I missing? --Mike | "...Audiences know what to expect and that http://www.math.umd.edu/~mbr | is all they are prepared to believe in..." P.S. 'hello'
Current thread:
- FIN scanning Michael B. Rash (Nov 17)
- Re: FIN scanning Bill Pennington (Nov 17)
- <Possible follow-ups>
- Re: FIN scanning Robert Graham (Nov 17)
- Re: FIN scanning Michael B. Rash (Nov 21)
- RE: FIN scanning LeGrow, Matt (Nov 17)