what is "Fin Scan"? How harmful is it?

what is "Fin Scan"? How harmful is it?

thx
LVL 1
Y YconsultantAsked:
Who is Participating?
 
samsternCommented:
Hi,

A FIN scan is a type of scan whose usual aim is to perform network reconnaissance. What's attractive about A FIN scan from the attacker's point of view is that the attacker sends a special signal  (a tcp packet with only the FIN flag set) that tends to get past many firewalls. Some firewalls do not even log the attempt! The scan takes the form of a signal that says "hi, I've finished my communications on this port" and the computer this scanned sends back the signal that says "acknowledged, yup communications are done" (And closes any open communications on that port if they have the right bug and it's not patched) or "I'm sorry that port is closed" or perhaps (rarely) "Odd. There is a problem that port did not have communications with you". This tells the attacker several things: The port is open and ready, there is a computer there BUT the port is not accepting communications. Further the Attacker gets to learn a bit about the victim OS. However, this form of scanning does not work very well against Windows PC's. You see all modern Windows PC's have a flaw where they send back the "acknowledged" response no matter if the port is open or not. Thus all an attacker can learn about a windows pc by fin scanning is that the windows PC is up and running and that it's not running a very good firewall. However, even if the firewall is not that good, you cannot actually exploit the information you receive from a FIN to attack a given port with the intent of starting communications unless the firewall does not block a SYN packet to the port in question - even poorer firewall will block this.
What is interesting about information returned from a FIN scan is that there attacks that use FIN packets to disrupt communications between two systems (via spoofing) by convincing the attacked computer not to talk to the other computer any more. That's how folks get bounced from AIM or AOL allot. Also, the FIN packet can be used to reboot or freeze unpatched systems using specially constructed FIN packets such as produced by the infamous Jolt2 attack. Jolt2 does not work against any patches system and patches have been available since 1999 or thereabouts. Regardless of intent these FIN based attacks get logged as a "FIN scan" by many consumer firewalls.

Besides limited information gather potential of FIN scans, and the limited DoS potential of a FIN packet, FIN scans are not seen "in the wild" as much as other scanning types. FIN scans are often seen as part an attempt to "fingerprint" or identify a given OS more than they are used to actually scan a system. The attacker can learn allot more about a system using half open, or ACK scanning (if they are being stealthy). Most firewall manufacturers consider FIN scanning to low risk for these reasons.
0
 
jvuzCommented:
In what context?
0
 
LucFEMEA Server EngineerCommented:
Hi techcity,

You might want to take a look here:
http://securityresponse.symantec.com/avcenter/security/Content/2002.05.16.html

It's really low risk, it's only searching for open ports, if you use a good firewall you'll be fine.

Greetings,

LucF
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
LucFEMEA Server EngineerCommented:
More information about different packages I found here: http://www.linux-magazine.com/issue/04/snort_nmap.pdf (page 47)
0
 
chicagoanCommented:
From ISS:

The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that "open" listening ports will send back different error messages than "closed" ports.

The most common of these scans is the FIN scan, which attempts to close a connection that isn't open. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, no response indicates a listening service at the port. However, since packets can be dropped accidentally on the wire or by firewalls, this isn't a very effective scan.

Other techniques might consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans.
0
 
Joseph_MooreCommented:
Here is the description of a FIN scan from Insecure.org, the home of NMAP:

"TCP FIN scanning : There are times when even SYN scanning isn't clandestine enough. Some firewalls and packet filters watch for SYNs to restricted ports, and programs like synlogger and Courtney are available to detect these scans. FIN packets, on the other hand, may be able to pass through unmolested. This scanning technique was featured in detail by Uriel Maimon in Phrack 49, article 15. The idea is that closed ports tend to reply to your FIN packet with the proper RST. Open ports, on the other hand, tend to ignore the packet in question. As Alan Cox has pointed out, this is required TCP behavior. However, some systems (notably Micro$oft boxes), are broken in this regard. They send RST's regardless of the port state, and thus they aren't vulnerable to this type of scan. It works well on most other systems I've tried. Actually, it is often useful to discriminate between a *NIX and NT box, and this can be used to do that. FIN scanning is the -U (Uriel) option of nmap."

This description is found here:
http://www.insecure.org/nmap/nmap_doc.html#fin
0
 
chris_calabreseCommented:
The bottom line is that you see this when someone is fishing to see what you have running on your servers/networks.

FIN scans and other types of bizarro TCP-option scans SHOULD be blocked by any good firewall. Unfortunately, many firewalls that a lot of people think are good aren't.

The scan itself isn't a threat, but it is the precursor to an actual attack.

For example, an attacker might FIN-scan your network and find all the systems running something on port 80 (usually HTTP). They then can target those systems for various webserver attacks and waltz in (assuming any of the servers are vulnerable to any of the attacks in their bag of tricks, but this is almost certainly the case if your're running IIS and you don't have the very very latest patches).
0
 
chicagoanCommented:
fin scan is a port scan designed to ferret out services surreptitiously
If a service is identified, known vulnerabilities can be used to exploit those services
This is a primitive attempt at evading Intrusion Detection Systems
Your system correctly identified the probe, blocking such packets is good
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.