Re: Firewall bypassing tool

[Fyodor <fyodor () insecure org>]

On Sun, Nov 03, 2002 at 05:02:49PM -0600, Frank Knobbe wrote:
> On Fri, 2002-11-01 at 13:38, Michael Katz wrote:
> > At 11/1/2002 03:28 AM, d_fence wrote:
> >
> > One of the options for scanning is -sF, which will send SYN-FIN 
> > packets.  You can also use -sA, which will send SYN-ACK packets.
>
> I was about to post the same, but thought I validate first. To me it
> seemed that nmap sends a packet with the FIN flag set. I did not see the
> SYN flag set in addition to FIN, so nmap is not an answer to his
> question.

Nmap has an undocumented --scanflags option which allows you to
specify arbitrary flags using the flag names or a number.  Thus a
SYN-FIN scan can be done as follows:

felix~#nmap -sS --scanflags SYNFIN -O db

Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
Interesting ports on db.yuma.net (192.168.0.4):
(The 1601 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
1024/tcp   open        kdm                     
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 58.471 days (since Fri Sep  6 23:45:12 2002)

Nmap run completed -- 1 IP address (1 host up) scanned in 10.651
seconds

Note that "-sS" causes this scan to use "SYN Scan" semantics (eg
treating SYN|ACK responses as open ports).  For FIN scan semantics
(dropped packets signify open ports, RST for closed ones) just specify
"-sF" instead.

Cheers,
Fyodor