CAPEC

Common Attack Pattern Enumeration and Classification

A Community Resource for Identifying and Understanding Attacks

New to CAPEC? Start Here
Home > CAPEC List > CAPEC-302: TCP FIN Scan (Version 3.9)  

CAPEC-302: TCP FIN Scan

Attack Pattern ID: 302
Abstraction: Detailed
View customized information:
+ Description
An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.
+ Extended Description

In addition to its relative speed in comparison with other types of scans, the major advantage a TCP FIN Scan is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. FIN packets, like out-of-state ACK packets, tend to pass through such devices undetected. FIN scanning is still relatively stealthy as the packets tend to blend in with the background noise on a network link.

+ Typical Severity

Low

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.300Port Scanning
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Experiment
  1. An adversary sends TCP packets with the FIN flag but not associated with an existing connection to target ports.
  2. An adversary uses the response from the target to determine the port's state. If no response is received the port is open. If a RST packet is received then the port is closed.
+ Prerequisites
FIN scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
+ Resources Required
This attack pattern requires the ability to send TCP FIN segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Other
Confidentiality
Access Control
Authorization
Bypass Protection Mechanism
Hide Activities
+ Mitigations
FIN scans are detected via heuristic (non-signature) based algorithms, much in the same way as other scan types are detected. An IDS/IPS system with heuristic algorithms is required to detect them.
+ Notes

Other

Many operating systems, however, do not implement RFC 793 exactly and for this reason FIN scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports. FIN scans are limited by the range of platforms against which they work. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, FIN scanning a system protected by a stateful firewall may indicate all ports being open. For these reasons, FIN scanning results must always be interpreted as part of a larger scanning strategy.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ References
[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 55. 6th Edition. McGraw Hill. 2009.
[REF-128] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc793.html>.
[REF-147] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107. 3rd "Zero Day" Edition. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Description Summary, References, Related_Weaknesses, Resources_Required
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Execution_Flow, Mitigations, Notes
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Extended_Description
Previous Entry Names
Change DatePrevious Entry Name
2018-07-31
(Version 2.12)
TCP FIN scan
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018