Solved

what is "Fin Scan"? How harmful is it?

Posted on 2003-12-11
8
6,651 Views
Last Modified: 2011-09-20
what is "Fin Scan"? How harmful is it?

thx
0
Comment
Question by:techcity
8 Comments
 
LVL 21

Expert Comment

by:jvuz
ID: 9927691
In what context?
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9927808
Hi techcity,

You might want to take a look here:
http://securityresponse.symantec.com/avcenter/security/Content/2002.05.16.html

It's really low risk, it's only searching for open ports, if you use a good firewall you'll be fine.

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9927857
More information about different packages I found here: http://www.linux-magazine.com/issue/04/snort_nmap.pdf (page 47)
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9930043
From ISS:

The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that "open" listening ports will send back different error messages than "closed" ports.

The most common of these scans is the FIN scan, which attempts to close a connection that isn't open. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, no response indicates a listening service at the port. However, since packets can be dropped accidentally on the wire or by firewalls, this isn't a very effective scan.

Other techniques might consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9930469
Here is the description of a FIN scan from Insecure.org, the home of NMAP:

"TCP FIN scanning : There are times when even SYN scanning isn't clandestine enough. Some firewalls and packet filters watch for SYNs to restricted ports, and programs like synlogger and Courtney are available to detect these scans. FIN packets, on the other hand, may be able to pass through unmolested. This scanning technique was featured in detail by Uriel Maimon in Phrack 49, article 15. The idea is that closed ports tend to reply to your FIN packet with the proper RST. Open ports, on the other hand, tend to ignore the packet in question. As Alan Cox has pointed out, this is required TCP behavior. However, some systems (notably Micro$oft boxes), are broken in this regard. They send RST's regardless of the port state, and thus they aren't vulnerable to this type of scan. It works well on most other systems I've tried. Actually, it is often useful to discriminate between a *NIX and NT box, and this can be used to do that. FIN scanning is the -U (Uriel) option of nmap."

This description is found here:
http://www.insecure.org/nmap/nmap_doc.html#fin
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 9930760
The bottom line is that you see this when someone is fishing to see what you have running on your servers/networks.

FIN scans and other types of bizarro TCP-option scans SHOULD be blocked by any good firewall. Unfortunately, many firewalls that a lot of people think are good aren't.

The scan itself isn't a threat, but it is the precursor to an actual attack.

For example, an attacker might FIN-scan your network and find all the systems running something on port 80 (usually HTTP). They then can target those systems for various webserver attacks and waltz in (assuming any of the servers are vulnerable to any of the attacks in their bag of tricks, but this is almost certainly the case if your're running IIS and you don't have the very very latest patches).
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9931046
fin scan is a port scan designed to ferret out services surreptitiously
If a service is identified, known vulnerabilities can be used to exploit those services
This is a primitive attempt at evading Intrusion Detection Systems
Your system correctly identified the probe, blocking such packets is good
0
 

Accepted Solution

by:
samstern earned 20 total points
ID: 9967338
Hi,

A FIN scan is a type of scan whose usual aim is to perform network reconnaissance. What's attractive about A FIN scan from the attacker's point of view is that the attacker sends a special signal  (a tcp packet with only the FIN flag set) that tends to get past many firewalls. Some firewalls do not even log the attempt! The scan takes the form of a signal that says "hi, I've finished my communications on this port" and the computer this scanned sends back the signal that says "acknowledged, yup communications are done" (And closes any open communications on that port if they have the right bug and it's not patched) or "I'm sorry that port is closed" or perhaps (rarely) "Odd. There is a problem that port did not have communications with you". This tells the attacker several things: The port is open and ready, there is a computer there BUT the port is not accepting communications. Further the Attacker gets to learn a bit about the victim OS. However, this form of scanning does not work very well against Windows PC's. You see all modern Windows PC's have a flaw where they send back the "acknowledged" response no matter if the port is open or not. Thus all an attacker can learn about a windows pc by fin scanning is that the windows PC is up and running and that it's not running a very good firewall. However, even if the firewall is not that good, you cannot actually exploit the information you receive from a FIN to attack a given port with the intent of starting communications unless the firewall does not block a SYN packet to the port in question - even poorer firewall will block this.
What is interesting about information returned from a FIN scan is that there attacks that use FIN packets to disrupt communications between two systems (via spoofing) by convincing the attacked computer not to talk to the other computer any more. That's how folks get bounced from AIM or AOL allot. Also, the FIN packet can be used to reboot or freeze unpatched systems using specially constructed FIN packets such as produced by the infamous Jolt2 attack. Jolt2 does not work against any patches system and patches have been available since 1999 or thereabouts. Regardless of intent these FIN based attacks get logged as a "FIN scan" by many consumer firewalls.

Besides limited information gather potential of FIN scans, and the limited DoS potential of a FIN packet, FIN scans are not seen "in the wild" as much as other scanning types. FIN scans are often seen as part an attempt to "fingerprint" or identify a given OS more than they are used to actually scan a system. The attacker can learn allot more about a system using half open, or ACK scanning (if they are being stealthy). Most firewall manufacturers consider FIN scanning to low risk for these reasons.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now