FIN Scan
Results 1 to 4 of 4

Thread: FIN Scan

  1. #1
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953

    FIN Scan

    Hey guys/gals,

    -> I'm doing some FireWall testing on one of my servers and while scanning the machine with different scan types... i noticed that the FIN scan (using nmap) came back with all open ports... I mean everything from 1 to 31337 was listed as open. Obviously i know this not to be true... I'm trying to figure out why nmap would say this...

    -> I'm using a FreeBSD machine as the Firewall/NAT
    -> All of the servers are up-to-date Win2k Servers

    ---------------------------------------------------->
    now, same with UDP scan... all UDP ports are listed as open?
    only -sS and -sT scan types seem to be working?
    yeah, I\'m gonna need that by friday...

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    From man nmap:

    -sF -sX -sN
    Stealth FIN, Xmas Tree, or Null scan modes: There are times when
    even SYN scanning isn't clandestine enough. Some firewalls and
    packet filters watch for SYNs to restricted ports, and programs
    like Synlogger and Courtney are available to detect these scans.
    These advanced scans, on the other hand, may be able to pass
    through unmolested.

    The idea is that closed ports are required to reply to your
    probe packet with an RST, while open ports must ignore the pack-
    ets in question (see RFC 793 pp 64).
    The FIN scan uses a bare
    (surprise) FIN packet as the probe, while the Xmas tree scan
    turns on the FIN, URG, and PUSH flags. The Null scan turns off
    all flags. Unfortunately Microsoft (like usual) decided to com-
    pletely ignore the standard and do things their own way. Thus
    this scan type will not work against systems running Win-
    dows95/NT. On the positive side, this is a good way to distin-
    guish between the two platforms. If the scan finds open ports,
    you know the machine is not a Windows box. If a -sF,-sX,or -sN
    scan shows all ports closed, yet a SYN (-sS) scan shows ports
    being opened, you are probably looking at a Windows box. This
    is less useful now that nmap has proper OS detection built in.
    There are also a few other systems that are broken in the same
    way Windows is. They include Cisco, BSDI, HP/UX, MVS, and IRIX.
    All of the above send resets from the open ports when they
    should just drop the packet.
    Because your firewall (probably) silently drops these FIN packets, nmap will think the port is open.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    der, I feel stupid...

    I just read the damn MAN Page too... it's too early in this timezone!
    yeah, I\'m gonna need that by friday...

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Hehe. I know the feeling. There's nothing more silly then reading something 20 times and actually "see" it the 21st time.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •