Conduct TCP FIN Scanning in Nmap

Introduction

In this lab, you will learn to conduct TCP FIN scanning using Nmap. You'll start by performing a basic FIN scan on a target IP, then scan specific ports, add verbosity to the scan, and save the results. Additionally, you'll compare FIN scans with TCP scans and analyze open ports in the Xfce terminal. A FIN scan sends a FIN packet to the target host, which can help bypass certain firewalls or intrusion detection systems.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/scan_types("Scan Types and Techniques") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") nmap/NmapGroup -.-> nmap/firewall_evasion("Firewall Evasion Techniques") nmap/NmapGroup -.-> nmap/stealth_scanning("Stealth and Covert Scanning") subgraph Lab Skills nmap/output_formats -.-> lab-547093{{"Conduct TCP FIN Scanning in Nmap"}} nmap/save_output -.-> lab-547093{{"Conduct TCP FIN Scanning in Nmap"}} nmap/port_scanning -.-> lab-547093{{"Conduct TCP FIN Scanning in Nmap"}} nmap/scan_types -.-> lab-547093{{"Conduct TCP FIN Scanning in Nmap"}} nmap/target_specification -.-> lab-547093{{"Conduct TCP FIN Scanning in Nmap"}} nmap/verbosity -.-> lab-547093{{"Conduct TCP FIN Scanning in Nmap"}} nmap/service_detection -.-> lab-547093{{"Conduct TCP FIN Scanning in Nmap"}} nmap/firewall_evasion -.-> lab-547093{{"Conduct TCP FIN Scanning in Nmap"}} nmap/stealth_scanning -.-> lab-547093{{"Conduct TCP FIN Scanning in Nmap"}} end

Run FIN scan with nmap -sF 192.168.1.1

In this step, you will learn how to perform a FIN scan using Nmap. A FIN scan is a type of TCP scan that sends a FIN (finish) packet to the target host. Unlike a SYN scan, which attempts to establish a connection, a FIN scan simply sends a FIN packet and observes the response. This can be useful for bypassing certain firewalls or intrusion detection systems.

Before we begin, let's clarify what a FIN packet is. In TCP communication, the FIN flag signals the end of a connection. When a host sends a FIN packet, it's essentially saying, "I'm done sending data."

Now, let's perform the FIN scan. Open your Xfce terminal.

Execute the following command:

sudo nmap -sF 192.168.1.1

-sF: This option tells Nmap to perform a FIN scan.
192.168.1.1: This is the target IP address. Replace this with the actual IP address of the machine you want to scan if it's different.

You might need to adjust the IP address 192.168.1.1 to match the IP address of a target machine accessible from your LabEx VM. If you don't have a specific target in mind, you can use the IP address of your gateway or another device on your local network. If you are unsure, you can try scanning your own machine using 127.0.0.1 (localhost).

The output will show the status of each port on the target machine. Open ports will typically not respond to a FIN packet, while closed ports will respond with an RST (reset) packet. Filtered ports may not respond at all, making it difficult to determine their status.

Example output (the actual output will vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).
Not shown: 999 closed ports
PORT    STATE    SERVICE
22/tcp  filtered ssh

Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds

In this example, port 22 (SSH) is shown as filtered. This means that Nmap was unable to determine whether the port is open or closed due to firewall rules or other network conditions. The "Not shown: 999 closed ports" line indicates that Nmap did not display the 999 closed ports to keep the output concise.

Scan specific ports with nmap -sF -p 22,80 127.0.0.1

In the previous step, you learned how to perform a basic FIN scan. Now, you'll learn how to target specific ports during a FIN scan. This is useful when you want to focus your scan on services that are likely to be running on particular ports, such as SSH (port 22) and HTTP (port 80).

Specifying ports can significantly reduce the scan time and make the results more relevant. Instead of scanning all 65535 ports, you can concentrate on the ports that are most likely to be of interest.

Open your Xfce terminal.

Execute the following command:

sudo nmap -sF -p 22,80 127.0.0.1

-sF: This option tells Nmap to perform a FIN scan.
-p 22,80: This option specifies that you want to scan ports 22 and 80. You can specify a single port, a range of ports (e.g., 1-100), or a comma-separated list of ports.
127.0.0.1: This is the target IP address, which in this case is your own machine (localhost).

The output will show the status of ports 22 and 80 on your machine.

Example output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).

PORT   STATE    SERVICE
22/tcp filtered ssh
80/tcp filtered http

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

In this example, both ports 22 and 80 are shown as filtered. This means that Nmap could not determine whether these ports are open or closed. This is a common result with FIN scans, especially when firewalls are in place.

Add verbosity with nmap -v -sF 192.168.1.1

In this step, you will learn how to increase the verbosity of your Nmap FIN scan. Verbosity provides more detailed information about the scan process, which can be helpful for troubleshooting or understanding the results.

The -v option in Nmap increases the verbosity level. You can use it multiple times (e.g., -vv) for even more detailed output.

Open your Xfce terminal.

Execute the following command:

sudo nmap -v -sF 192.168.1.1

-v: This option increases the verbosity level.
-sF: This option tells Nmap to perform a FIN scan.
192.168.1.1: This is the target IP address. Remember to replace this with a valid IP address if needed.

The output will now include more information about the scan, such as the packets being sent and received, the reasons for certain decisions, and the overall progress.

Example output (the actual output will vary depending on the target and network conditions):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 10:10
Scanning 192.168.1.1 [2 ports]
Completed Ping Scan at 10:10, 0.00s elapsed (1 total hosts)
Initiating FIN Scan at 10:10
Scanning 192.168.1.1 [1000 ports]
Completed FIN Scan at 10:10, 2.12s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
Not shown: 999 closed ports
PORT    STATE    SERVICE
22/tcp  filtered ssh

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds
Raw packets sent: 1001 (44.044KB) | Rcvd: 1 (44B)

Notice the additional information provided, such as the NSE script loading, the initiation and completion times of the ping and FIN scans, and the number of packets sent and received. This level of detail can be invaluable when troubleshooting network issues or analyzing scan results.

Save FIN scan results with nmap -sF -oN fin.txt 127.0.0.1

In this step, you will learn how to save the results of your Nmap FIN scan to a file. This is useful for later analysis, reporting, or comparison with other scans.

Nmap provides several options for saving scan results in different formats. The -oN option saves the results in a "normal" human-readable format.

Open your Xfce terminal.

Execute the following command:

sudo nmap -sF -oN fin.txt 127.0.0.1

-sF: This option tells Nmap to perform a FIN scan.
-oN fin.txt: This option specifies that you want to save the results in normal format to a file named fin.txt. The file will be saved in your current directory (~/project).
127.0.0.1: This is the target IP address, which in this case is your own machine (localhost).

After the scan completes, you can view the saved results by opening the fin.txt file with a text editor like nano.

nano fin.txt

The file will contain the same information that was displayed on the screen during the scan, but in a structured format.

Example content of fin.txt:

## Nmap 7.80 scan initiated Tue Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).
Not shown: 999 closed ports
PORT    STATE    SERVICE
22/tcp  filtered ssh

## Nmap done at Tue Oct 27 10:15:02 2023 -- 1 IP address (1 host up) scanned in 1.89 seconds

You can now use this file for further analysis or reporting.

Compare FIN scan with TCP scan in Xfce terminal

In this step, you will compare the results of a FIN scan with a TCP connect scan. This comparison will highlight the differences in how these scans identify open ports and how firewalls might treat them differently.

A TCP connect scan (-sT) establishes a full TCP connection with the target, making it more reliable but also more easily detectable. A FIN scan (-sF), on the other hand, sends a FIN packet, which is less likely to be logged by firewalls but may not always provide accurate results.

Open your Xfce terminal.

First, perform a TCP connect scan on localhost (127.0.0.1):

sudo nmap -sT 127.0.0.1

This command will attempt to establish a full TCP connection with each port on your local machine.

Next, perform a FIN scan on the same target:

sudo nmap -sF 127.0.0.1

Now, compare the results of the two scans. You may notice that the TCP connect scan identifies more open ports than the FIN scan. This is because some firewalls or systems may block or ignore FIN packets, leading to inaccurate results.

Example output of TCP connect scan:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000026s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Example output of FIN scan:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:21 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000026s latency).
Not shown: 999 closed ports
PORT    STATE    SERVICE
22/tcp  filtered ssh

Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds

In this example, the TCP connect scan shows ports 22, 631, and 3306 as open, while the FIN scan only shows port 22 as filtered. This demonstrates how different scan types can produce different results, and why it's important to use a variety of techniques when performing network reconnaissance. The filtered state means that a firewall, filter, or other network obstacle is blocking the port, preventing Nmap from determining whether it is open or closed.

Analyze open ports in Xfce terminal

In this step, you will analyze the open ports identified in the previous scans to understand the services running on the target system. This involves interpreting the Nmap output and researching the purpose of each open port.

Open your Xfce terminal.

Let's assume you have performed a TCP connect scan (sudo nmap -sT 127.0.0.1) in the previous step and obtained the following output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000026s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

This output indicates that ports 22, 631, and 3306 are open on your local machine. Now, let's analyze each of these ports:

Port 22 (ssh): This port is typically used for SSH (Secure Shell), a secure protocol for remote login and command execution. If this port is open, it means that an SSH server is running on your machine, allowing you to connect to it remotely.
Port 631 (ipp): This port is used for IPP (Internet Printing Protocol), a protocol for printing over a network. If this port is open, it means that a printing service is running on your machine, allowing you to print documents remotely.
Port 3306 (mysql): This port is the default port for MySQL, a popular open-source relational database management system. If this port is open, it means that a MySQL server is running on your machine, allowing you to access and manage databases.

To further investigate these services, you can use other tools like netstat or ss to check which processes are listening on these ports. For example, to check the process listening on port 22, you can use the following command:

sudo netstat -tulnp | grep :22

This command will display the process ID (PID) and the name of the process listening on port 22.

Example output:

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1234/sshd

This output indicates that the sshd process (SSH daemon) is listening on port 22.

By analyzing the open ports and the services running on them, you can gain valuable insights into the security posture of the target system and identify potential vulnerabilities.

Summary

In this lab, you learned to conduct TCP FIN scanning using Nmap. You started by performing a basic FIN scan with the command nmap -sF followed by a target IP. You also learned to scan specific ports, add verbosity to the scan, and save the results to a file. Additionally, you compared the FIN scan with a TCP scan and analyzed open ports in the Xfce terminal. A FIN scan sends a FIN packet to the target host, which can help bypass certain firewalls or intrusion - detection systems.