Firewall Wizards mailing list archives

Re: FIN scanning

From: "Michael B. Rash" <mbr () math umd edu>
Date: Thu, 18 Nov 1999 10:13:44 -0500 (EST)


On Wed, 17 Nov 1999, Robert Graham wrote:

:  * TCP seqno prediction. Let's assume your FIN scan reveals that a rlogin
:  service is running but firewalled and that TCP sequence numbers are predictable
:  (nmap OS fingerprint). You can then possibly spoof connections from trusted
:  machines in order to log in.
:  
:  * FTP bounce. Read up on nmap's FTP bounce scans for more on this technique.
:  
:  * DoS. You can spoof your own RST and FIN packets to disrupt legitimate
:  communications. For example, let's assume a TCP connection between a host on
:  the DMZ and some internal logging service. You can then attack the host and
:  prevent logging from working right that might alert people to your attack.


These examples were exactly what I was looking for.  Thanks to all who
responded.

--Mike                        | "...Audiences know what to expect and that
http://www.math.umd.edu/~mbr  | is all they are prepared to believe in..."

Current thread:

FIN scanning Michael B. Rash (Nov 17)
- Re: FIN scanning Bill Pennington (Nov 17)
- <Possible follow-ups>
- Re: FIN scanning Robert Graham (Nov 17)
  - Re: FIN scanning Michael B. Rash (Nov 21)
- RE: FIN scanning LeGrow, Matt (Nov 17)