Solved

what is "Fin Scan"? How harmful is it?

Posted on 2003-12-11
8
8,191 Views
Last Modified: 2011-09-20
what is "Fin Scan"? How harmful is it?

thx
0
Comment
Question by:techcity
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 21

Expert Comment

by:jvuz
ID: 9927691
In what context?
0
 
LVL 32

Expert Comment

by:LucF
ID: 9927808
Hi techcity,

You might want to take a look here:
http://securityresponse.symantec.com/avcenter/security/Content/2002.05.16.html

It's really low risk, it's only searching for open ports, if you use a good firewall you'll be fine.

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:LucF
ID: 9927857
More information about different packages I found here: http://www.linux-magazine.com/issue/04/snort_nmap.pdf (page 47)
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 18

Expert Comment

by:chicagoan
ID: 9930043
From ISS:

The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that "open" listening ports will send back different error messages than "closed" ports.

The most common of these scans is the FIN scan, which attempts to close a connection that isn't open. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, no response indicates a listening service at the port. However, since packets can be dropped accidentally on the wire or by firewalls, this isn't a very effective scan.

Other techniques might consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans.
0
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9930469
Here is the description of a FIN scan from Insecure.org, the home of NMAP:

"TCP FIN scanning : There are times when even SYN scanning isn't clandestine enough. Some firewalls and packet filters watch for SYNs to restricted ports, and programs like synlogger and Courtney are available to detect these scans. FIN packets, on the other hand, may be able to pass through unmolested. This scanning technique was featured in detail by Uriel Maimon in Phrack 49, article 15. The idea is that closed ports tend to reply to your FIN packet with the proper RST. Open ports, on the other hand, tend to ignore the packet in question. As Alan Cox has pointed out, this is required TCP behavior. However, some systems (notably Micro$oft boxes), are broken in this regard. They send RST's regardless of the port state, and thus they aren't vulnerable to this type of scan. It works well on most other systems I've tried. Actually, it is often useful to discriminate between a *NIX and NT box, and this can be used to do that. FIN scanning is the -U (Uriel) option of nmap."

This description is found here:
http://www.insecure.org/nmap/nmap_doc.html#fin
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 9930760
The bottom line is that you see this when someone is fishing to see what you have running on your servers/networks.

FIN scans and other types of bizarro TCP-option scans SHOULD be blocked by any good firewall. Unfortunately, many firewalls that a lot of people think are good aren't.

The scan itself isn't a threat, but it is the precursor to an actual attack.

For example, an attacker might FIN-scan your network and find all the systems running something on port 80 (usually HTTP). They then can target those systems for various webserver attacks and waltz in (assuming any of the servers are vulnerable to any of the attacks in their bag of tricks, but this is almost certainly the case if your're running IIS and you don't have the very very latest patches).
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9931046
fin scan is a port scan designed to ferret out services surreptitiously
If a service is identified, known vulnerabilities can be used to exploit those services
This is a primitive attempt at evading Intrusion Detection Systems
Your system correctly identified the probe, blocking such packets is good
0
 

Accepted Solution

by:
samstern earned 20 total points
ID: 9967338
Hi,

A FIN scan is a type of scan whose usual aim is to perform network reconnaissance. What's attractive about A FIN scan from the attacker's point of view is that the attacker sends a special signal  (a tcp packet with only the FIN flag set) that tends to get past many firewalls. Some firewalls do not even log the attempt! The scan takes the form of a signal that says "hi, I've finished my communications on this port" and the computer this scanned sends back the signal that says "acknowledged, yup communications are done" (And closes any open communications on that port if they have the right bug and it's not patched) or "I'm sorry that port is closed" or perhaps (rarely) "Odd. There is a problem that port did not have communications with you". This tells the attacker several things: The port is open and ready, there is a computer there BUT the port is not accepting communications. Further the Attacker gets to learn a bit about the victim OS. However, this form of scanning does not work very well against Windows PC's. You see all modern Windows PC's have a flaw where they send back the "acknowledged" response no matter if the port is open or not. Thus all an attacker can learn about a windows pc by fin scanning is that the windows PC is up and running and that it's not running a very good firewall. However, even if the firewall is not that good, you cannot actually exploit the information you receive from a FIN to attack a given port with the intent of starting communications unless the firewall does not block a SYN packet to the port in question - even poorer firewall will block this.
What is interesting about information returned from a FIN scan is that there attacks that use FIN packets to disrupt communications between two systems (via spoofing) by convincing the attacked computer not to talk to the other computer any more. That's how folks get bounced from AIM or AOL allot. Also, the FIN packet can be used to reboot or freeze unpatched systems using specially constructed FIN packets such as produced by the infamous Jolt2 attack. Jolt2 does not work against any patches system and patches have been available since 1999 or thereabouts. Regardless of intent these FIN based attacks get logged as a "FIN scan" by many consumer firewalls.

Besides limited information gather potential of FIN scans, and the limited DoS potential of a FIN packet, FIN scans are not seen "in the wild" as much as other scanning types. FIN scans are often seen as part an attempt to "fingerprint" or identify a given OS more than they are used to actually scan a system. The attacker can learn allot more about a system using half open, or ACK scanning (if they are being stealthy). Most firewall manufacturers consider FIN scanning to low risk for these reasons.
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month5 days, 11 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question