ACKFIN

[Francesco Trentini <cesko () spm it>]

I don't remeber if I've already send this mex to Fyodor, however I post
it here:

I was recently FIN scanning an host and I've got 1-65535 ports opened;
surely it is behind a router which drops packets as filtering policy,
making a "negative" based scan unapplicable, so no way to know if the
port is open or filtered out. An half open scan would be easier to
detect (tcplogd installed on that machine logs it) and assume that I
want to keep a stealthy mode.
So one can join a "postive" tech with a "negative" one -->  ACK
technique with a FIN scan tech:
(a general batch would be for an host behind a "drop" router)

1. send an ACK packet to port (like TCP ping). If we catch a return RST
packet the port is not filtered out.
2. FIN scan the ports that are not filtered out to know if open/close
(if the target is not win of course)

The two process doesn't open or half open connections, so have an added
degree of covering.
Of course it's easy to implement as a script, but an builtin nmap
feature wuold be cool (sure it needs a new super_scan or a two-pass
superscan called in recursive mode).
An automated ACK scan is also good to remotely guess ACLs.

cesko () spm it
Francesco Trentini