Firewall Wizards mailing list archives
RE: FIN scanning
From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Wed, 17 Nov 1999 14:42:22 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike, Here stealth is the idea. If you use connect() the connection will complete and most likely the application that you are connecting to might also register the connection, along with the IP that you are connecting with. Using FIN [theoretically] avoids that hassle and makes you harder to detect. If you are evil, you may then coldly calculate what exploit you will run or what ports have applications that are likely exploitable without the host ever having any idea or warning that you were actually scanning him/her. Matt LeGrow Network Associates, Inc. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Note: Opinions expressed herein are most certainly NOT that of my employer:-)
-----Original Message----- From: Michael B. Rash [mailto:mbr () math umd edu] Sent: Tuesday, November 16, 1999 1:21 PM To: firewall-wizards () nfr net Subject: FIN scanning I am using nmap (which is a great program BTW; thank you Fyodor) to scan a host and the -sF option conducts a FIN (stealth) scan against the target which of course comes back with _many_ more "open" ports than the vanilla connect() scans. "Open" here means that a RST was not received in response to the FIN packet. My question is this: since mounting an application layer exploit against a box will require that you can communicate over some port with regular connect() calls, what good are FIN scans? You may identify ports that are 'open' with respect to FIN packets, but to actually mount an exploit against a machine/application (other than some odd-ball FIN DoS attack or something), you will need to use connect() calls anyway so why not simply use vanilla TCP connect() scanning instead? Note that doing some preliminary searching on bugtraq and couple of other sources come up with no exploits using FIN packets. All references seem to point to using FIN packets exclusively for scanning. What am I missing? --Mike | "...Audiences know what to expect and that http://www.math.umd.edu/~mbr | is all they are prepared to believe in..." P.S. 'hello'
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBODMvT/bW52zw8/NBEQIpYQCg8zNpwe/dqxpSavN3+QpR874vdq8AoKrl QZn22/2SirL3b1LkeEUg9IEv =AjXh -----END PGP SIGNATURE-----
Current thread:
- FIN scanning Michael B. Rash (Nov 17)
- Re: FIN scanning Bill Pennington (Nov 17)
- <Possible follow-ups>
- Re: FIN scanning Robert Graham (Nov 17)
- Re: FIN scanning Michael B. Rash (Nov 21)
- RE: FIN scanning LeGrow, Matt (Nov 17)