A FIN scan is a stealthy technique used in network reconnaissance to identify open TCP ports on a target system. It operates by sending TCP packets with only the FIN (finish) flag set, without establishing a full TCP handshake. This method leverages nuances in the TCP protocol to infer the state of ports while minimizing detection.
How FIN Scans Work?
According to RFC 793, the behavior of a TCP port when receiving a packet with the FIN flag set varies based on its state:
-
Closed Port: Sends back a TCP RST (reset) packet, indicating that the port is closed.
-
Open Port: Ignores the unsolicited FIN packet and does not respond.
By analyzing the responses (or lack thereof), a scanner can determine which ports are open or closed.
Advantages of FIN Scans
-
Stealthiness: FIN scans do not initiate a full TCP handshake, making them less conspicuous and harder to detect by intrusion detection systems (IDS) and firewalls.
-
Firewall Evasion: Some firewalls and packet filters are configured to monitor for standard connection attempts (like SYN packets) and may overlook FIN packets, allowing the scan to bypass certain security measures.
Limitations
-
Operating System Behavior: Not all operating systems adhere strictly to RFC 793. For instance, Windows systems often respond with a RST packet regardless of the port's state, rendering FIN scans ineffective against such targets.
-
Modern Security Measures: Advanced firewalls and IDS have evolved to detect and block FIN scans by recognizing patterns associated with this technique.
Practical Example
Using Nmap, a popular network scanning tool, a FIN scan can be executed with the following command:
nmap -sF 192.168.1.1
This command sends FIN packets to the target IP address (192.168.1.1) to identify open ports based on the responses received.
