Every morning begins the same way: I come into the office, boot up my laptop, get my coffee and then start on my daily responsibilities.

As I’m sitting at my desk replying to various e-mails and such, Milton decides to talk to himself.

Now when I say that he’s talking to himself, I really mean that he’s talking to everyone in a 10-foot radius, but he’s the only one who understands what he’s talking about.

Here’s a sample of how it goes:

Milton: “There are two girls on the page now…”
Me: “I’m sorry, what?”
Milton: “Who is the new girl on the website?”
Me: “What are you talking about? What girls, what website?”
Milton: “For our blogs…”
Me: “mhrmmmm.” (This is me trying to terminate the conversation)

I’m going to stop there…

That is a common morning conversation scenario with my buddy Milton. If you are confused about this conversation, you are not alone. With Milton starting conversations like we’ve been talking for an hour, he always manages to get a reply out of me, even if it is one of confusion.

I use Milton as an example of how a FIN port scan works.

First think of Milton as a port scan designed for Linux boxes. Milton will first send a conversation to the port using the FIN TCP flag to trick the port into thinking that Milton has been speaking to it all along. After all, the FIN flag is the tag used to FINISH a conversation.

If the port that Milton is talking to is closed, the port replies to Milton with a RST flag. That’s like me saying “mhmmm” just to end the conversation.

However, if the port is open, the conversation packet is quietly discarded, since the conversation is over. But this is exactly what Milton is looking for. If he doesn’t get that RST flag he knows there is a service listening in on that port.

Now that he’s found an open port, he can say what he wants and your server will listen.

Now that you understand how the FIN port scan works; does anyone have an Aspirin?

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.


2 comments on “What is a FIN port scan and how does it work?

  1. Nate,

    Once again, excellent post and explanation.

    Thanks, *hands over the Aleve (better on the gut)


  2. I have enabled netflow between two 6509 switches, but a very nasty surprise was waiting for me…
    the interfaces went down right after and I had to console to them to get the config off the interfaces…
    not sure what has happened. there.

Comments are closed.