If you look at an nmap FIN scan, you'll see that the FIN to a listening port does not get a response. A FIN to a closed port gets a RST right back. So, what the FIN scan to a listening port has a timeout; if no RST is sent back in a defined period of time, then the port is listed as open.
Pretty sure this is the case. Anyone? -scm On Thu, 17 Jan 2002, roland kwitt wrote: > > hi folks, > > as some of you might know, i am developing a networkanalysis tool > > that should also have some portscanning features. i've already > > implemented an ordinary connect scan and a syn stealh scan. > > i know that the idea behind a fin stealth scan is to send a packet > > with just the fin flag set and look what is coming back. as > > stated in the tcp rfc this should be a reset (rst) if the port is > > closed. my problem is now that if i want to scan that scanner stops > > (it does not realy stop but because i capture the packets through an > > endless loop without having a timeout mechanism installed you can imagine > > what happens!) if it comes to scan the ssh port. why that ? if some of > you have > > some good sources please let me know. >