Firewall Wizards mailing list archives

RE: FIN scanning

From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Wed, 17 Nov 1999 14:42:22 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike,

Here stealth is the idea.  If you use connect() the connection will
complete and most likely the application that you are connecting to
might also register the connection, along with the IP that you are
connecting with.  Using FIN [theoretically] avoids that hassle and
makes you harder to detect.  

If you are evil, you may then coldly calculate what exploit you will
run or what ports have applications that are likely exploitable
without the host ever having any idea or warning that you were
actually scanning him/her.

Matt LeGrow
Network Associates, Inc.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Note: Opinions expressed herein are most certainly NOT that of my
employer:-)

-----Original Message-----
From: Michael B. Rash [mailto:mbr () math umd edu]
Sent: Tuesday, November 16, 1999 1:21 PM
To: firewall-wizards () nfr net
Subject: FIN scanning

I am using nmap (which is a great program BTW; thank you 
Fyodor) to scan a
host and the -sF option conducts a FIN (stealth) scan against 
the target
which of course comes back with _many_ more "open" ports than 
the vanilla
connect() scans.  "Open" here means that a RST was not received in
response to the FIN packet.

My question is this:  since mounting an application layer 
exploit against
a box will require that you can communicate over some port 
with regular
connect() calls, what good are FIN scans?  You may identify 
ports that are
'open' with respect to FIN packets, but to actually mount an
exploit against a machine/application (other than some odd-ball FIN
 DoS attack or  something), you will need to use connect() calls
anyway so  why not simply use vanilla TCP connect() scanning
instead?  Note that doing some  preliminary searching on bugtraq
and couple of other sources  come up with no exploits using FIN
packets.  All references seem to point  to using FIN packets
exclusively for scanning.  What am I missing? 

--Mike                        | "...Audiences know what to 
expect and that
http://www.math.umd.edu/~mbr  | is all they are prepared to 
believe in..."     

P.S.  'hello'


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBODMvT/bW52zw8/NBEQIpYQCg8zNpwe/dqxpSavN3+QpR874vdq8AoKrl
QZn22/2SirL3b1LkeEUg9IEv
=AjXh
-----END PGP SIGNATURE-----

Current thread:

FIN scanning Michael B. Rash (Nov 17)
- Re: FIN scanning Bill Pennington (Nov 17)
- <Possible follow-ups>
- Re: FIN scanning Robert Graham (Nov 17)
  - Re: FIN scanning Michael B. Rash (Nov 21)
- RE: FIN scanning LeGrow, Matt (Nov 17)