A TCP FIN scan is another technique used in network reconnaissance, similar to TCP SYN scans. It’s designed to determine which ports on a target system are open, closed, or filtered. However, instead of sending SYN packets like in SYN scans, TCP FIN scans send TCP packets with the FIN (finish) flag set.
Here’s how a TCP FIN scan works:
- Sender sends FIN packet: The scanning tool sends a TCP packet with only the FIN (finish) flag set to the target system, indicating the intention to close the connection.
- Response analysis:
- If the port is open: The target system should respond with an RST (reset) packet, indicating that the port is closed.
- If the port is closed or filtered: The target system may respond with an RST packet if the port is closed, or it may not respond at all if the port is filtered or blocked.
- Interpreting responses:
- If an RST packet is received: This typically means the port is closed.
- If no response is received: This can indicate that the port is either open or filtered. Further analysis might be needed to determine the state of the port.
TCP FIN scans exploit a peculiarity in TCP behavior: according to the TCP RFC, if a FIN packet is sent to a port that is not open, the RFC suggests responding with an RST packet. However, not all implementations adhere strictly to this RFC, so the results of TCP FIN scans can sometimes be ambiguous.
One of the advantages of TCP FIN scans is that they can bypass some stateful firewalls because they don’t trigger the creation of a full TCP connection state table entry. However, they can still be detected by advanced intrusion detection systems (IDS) or firewalls that are configured to monitor for such scanning activity.
