Re: FIN scanning

["Bill Pennington" <bpennington () lucidnetworks com>]

You are really only trying to avoid detection when using FIN scanning. You
can then go back and manually query the ports you find in a way that
(hopefully) does not set off an IDS.

Bill Pennington
Consultant
Lucid NetworX


----- Original Message -----
From: Michael B. Rash <mbr () math umd edu>
To: <firewall-wizards () nfr net>
Sent: Tuesday, November 16, 1999 10:20 AM
Subject: FIN scanning


> I am using nmap (which is a great program BTW; thank you Fyodor) to scan a
> host and the -sF option conducts a FIN (stealth) scan against the target
> which of course comes back with _many_ more "open" ports than the vanilla
> connect() scans.  "Open" here means that a RST was not received in
> response to the FIN packet.
>
> My question is this:  since mounting an application layer exploit against
> a box will require that you can communicate over some port with regular
> connect() calls, what good are FIN scans?  You may identify ports that are
> 'open' with respect to FIN packets, but to actually mount an exploit
> against a machine/application (other than some odd-ball FIN DoS attack or
> something), you will need to use connect() calls anyway so why not simply
> use vanilla TCP connect() scanning instead?  Note that doing some
> preliminary searching on bugtraq and couple of other sources come up with
> no exploits using FIN packets.  All references seem to point to using FIN
> packets exclusively for scanning.  What am I missing?
>
>
> --Mike                        | "...Audiences know what to expect and that
> http://www.math.umd.edu/~mbr  | is all they are prepared to believe in..."
>
> P.S.  'hello'