Firewall Wizards mailing list archives
FIN scanning
From: "Michael B. Rash" <mbr () math umd edu>
Date: Tue, 16 Nov 1999 13:20:54 -0500 (EST)
I am using nmap (which is a great program BTW; thank you Fyodor) to scan a host and the -sF option conducts a FIN (stealth) scan against the target which of course comes back with _many_ more "open" ports than the vanilla connect() scans. "Open" here means that a RST was not received in response to the FIN packet. My question is this: since mounting an application layer exploit against a box will require that you can communicate over some port with regular connect() calls, what good are FIN scans? You may identify ports that are 'open' with respect to FIN packets, but to actually mount an exploit against a machine/application (other than some odd-ball FIN DoS attack or something), you will need to use connect() calls anyway so why not simply use vanilla TCP connect() scanning instead? Note that doing some preliminary searching on bugtraq and couple of other sources come up with no exploits using FIN packets. All references seem to point to using FIN packets exclusively for scanning. What am I missing? --Mike | "...Audiences know what to expect and that http://www.math.umd.edu/~mbr | is all they are prepared to believe in..." P.S. 'hello'
Current thread:
- FIN scanning Michael B. Rash (Nov 17)
- Re: FIN scanning Bill Pennington (Nov 17)
- <Possible follow-ups>
- Re: FIN scanning Robert Graham (Nov 17)
- Re: FIN scanning Michael B. Rash (Nov 21)
- RE: FIN scanning LeGrow, Matt (Nov 17)