FIN Scan (`-sF`) with Nmap

Learn how the FIN scan works, its advantages, limitations, and practical usage scenarios.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction to FIN Scan

Network security assessments and penetration testing often rely on advanced scanning techniques to discover vulnerabilities in systems. One such method is the FIN scan (-sF), a stealthy approach used in Nmap (Network Mapper) to detect open ports on a target system without establishing a full TCP connection. This scan can be particularly useful for bypassing certain security mechanisms such as firewalls and intrusion detection systems (IDS).

In this article, we will explore how the FIN scan works, its advantages, limitations, and practical usage scenarios.

Understanding the FIN Scan Technique

TCP Flags and the FIN Scan

To understand FIN scanning, it’s essential to grasp TCP flags and their role in communication. The TCP protocol (Transmission Control Protocol) establishes connections between hosts using a three-way handshake:

  1. SYN (synchronize) - Initiates a connection.
  2. SYN-ACK (synchronize-acknowledge) - Acknowledges the connection.
  3. ACK (acknowledge) - Completes the handshake.

However, FIN scanning does not initiate a connection using SYN packets. Instead, it sends FIN (Finish) packets to a target port. The expected behavior based on RFC 793 (the TCP specification) is:

  • If the port is closed, the target should respond with a RST (reset) packet.
  • If the port is open, the target does not respond.

Since many systems adhere to this behavior, FIN scanning can be used to detect open ports without triggering connection-based logging mechanisms.

Why Use FIN Scan?

Advantages of FIN Scanning

  1. Stealthy Approach:

    • Since it does not establish a full TCP connection, it is less likely to be logged by security tools such as IDS and firewalls.
    • Many IDS solutions focus on SYN-based scanning, making FIN scans a good alternative for evasion.

  2. Bypasses Some Firewalls:

    • Firewalls configured to block SYN scans (-sS) may still allow FIN packets to pass through, enabling reconnaissance.

  3. Low Network Noise:

    • Unlike SYN or full TCP connect scans (-sT), FIN scans generate fewer packets, reducing the risk of detection.

  4. Effective Against Unfiltered Targets:

    • Works well against hosts that do not filter incoming FIN packets at the firewall level.

Limitations of FIN Scanning

  1. Ineffective Against Certain Systems:

    • Windows-based systems (pre-Windows 10) and some embedded devices do not conform to RFC 793 and respond with RST to all FIN packets, making the scan ineffective.

  2. Firewall and IDS Evasion Is Not Guaranteed:

    • Modern deep packet inspection (DPI) firewalls and intrusion detection systems (IDS/IPS) can detect FIN scanning attempts.

  3. May Be Blocked by Packet Filtering Firewalls:

    • If a stateful firewall is in place, it may block or drop unsolicited FIN packets, rendering the scan inconclusive.

How to Perform a FIN Scan with Nmap

Basic FIN Scan Command

To execute a FIN scan using Nmap, use the following command:

nmap -sF <target>

Example:

nmap -sF 192.168.1.1

This command will send FIN packets to the target without completing the TCP handshake.

Scanning Multiple Targets

To scan a range of hosts, use:

nmap -sF 192.168.1.0/24

This will scan all devices on the 192.168.1.x subnet.

Specifying Ports

By default, Nmap scans the top 1000 ports. To specify custom ports:

nmap -sF -p 80,443,22 192.168.1.1

This scan targets ports 80 (HTTP), 443 (HTTPS), and 22 (SSH).

Combining with Other Options

For an aggressive scan with additional fingerprinting:

nmap -sF -A -p- 192.168.1.1

This scans all 65535 ports and enables OS detection and service version detection.

Saving Scan Results

To save the results to a file:

nmap -sF -oN fin_scan_results.txt 192.168.1.1

Or save in XML format:

nmap -sF -oX fin_scan_results.xml 192.168.1.1

Interpreting FIN Scan Results

After executing a FIN scan, you may see output like this:

PORT     STATE    SERVICE
22/tcp   closed  ssh
80/tcp   open    http
443/tcp  filtered https

Understanding the States

  • Open: No response received, indicating an open port.
  • Closed: A RST response was received, meaning the port is closed.
  • Filtered: No response, possibly blocked by a firewall.

Detecting and Preventing FIN Scans

Detecting FIN Scans

System administrators can use intrusion detection systems (IDS) such as Snort or Suricata to detect FIN scans. A Snort rule might look like this:

alert tcp any any -> $HOME_NET any (flags:F; msg:"FIN scan detected";)

Preventing FIN Scans

  1. Configure Firewalls Properly:

    • Deny inbound FIN packets from untrusted sources.
    • Use stateful filtering to track legitimate connections.

  2. Use an Intrusion Prevention System (IPS):

    • Tools like Suricata can block scanning attempts dynamically.

  3. Harden Operating Systems:

    • Configure TCP/IP stack behavior to respond with RST to all unsolicited FIN packets.

Conclusion

Nmap’s FIN scan (-sF) is a powerful and stealthy technique for network reconnaissance, allowing penetration testers to probe open ports without triggering many common security defenses. However, its effectiveness depends on the target’s operating system and firewall configuration.

While useful for security testing, administrators should be aware of FIN scans and implement appropriate defenses to protect their systems from unauthorized probing. By combining firewalls, intrusion detection, and proper TCP/IP hardening, organizations can mitigate the risks associated with this type of scan.

Understanding how FIN scans work and how to detect them is essential for both ethical hackers and cybersecurity professionals looking to defend their networks effectively.


< NULL Scan (`-sN`) with NmapXmas Tree Scan with Nmap >