Firewall Wizards mailing list archives
Re: FIN Scanning through all kind of packet-filtering firewalls?
From: Darren Reed <avalon () coombs anu edu au>
Date: Sat, 8 Nov 1997 20:09:37 +1100 (EDT)
In some mail from gary flynn, sie said:
From: <robert.stahlbrand () nmac ericsson se> The FIN scanning method (presented in Phrack Magazine 49, article 15) where you can scan for open ports on a host behind a packet-filtering firewall even though your rules denys it is certainly working on Checkpoint ver. 2.1(a)
[...]
I'm not familiar with Checkpoint but any packet filter that is filtering on a destination port is going to toss the packet regardless of the SYN or any other flag unless there is some special programming.
I wouldn't be so sure about that. Checkpoint's FW-1 will pass all packets through with the ACK flag set (except, I think SYN-ACK) but will strip the body of any data. They do this so that they can rebuild state for a connection which has remained open over (say) the firewall rebooting or connection information expiring. If the reply packet was returned, anyway, there's your scan! Darren
Current thread:
- Re: FIN Scanning through all kind of packet-filtering firewalls? Darren Reed (Nov 08)