The FIN, XMAS, and NULL scans operate on the principle that any TCP stack (that adheres to the RFC) should respond in a particular way if a surprise TCP packet that does not set the SYN, ACK, or RST control bits is received on a port. If the port is closed, then TCP responds with a RST/ACK, but if the port is open, TCP does not respond with any packet at all.
The following example shows a FIN scan of the iptablesfw system, and note at © that all ports are reported as open|filtered by Nmap. Because a surprise FIN packet is not part of any legitimate TCP connection, all of the FIN packets (even those to open ports) are matched against the INVALID state rule in the iptables policy and subsequently logged and dropped. (See the DROP INVALID log prefix at © and the FIN flag set at © below.)
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2007-07-03 00:33 EDT
All 1672 scanned ports on 71.157.X.X are: ©open|filtered
Nmap finished: 1 IP address (1 host up) scanned in 36.199 seconds
[iptablesfw]# grep FIN /var/log/messages | tail -n 1 Jul 3 00:34:17 iptablesfw kernel: ©DROP INVALID IN=eth0 OUT= MAC=00:13:d3:38:b6:e4:00:30:48:80:4e:37:08:00 SRC=144.202.X.X DST=71.157.X.X LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=50009 PROTO=TCP SPT=60097 DPT=1437 WINDOW=3072 RES=0x00 ©FIN URGP=0
Was this article helpful?