I understand that both scans return RST packets and you can use this to scan hosts behind poorly configured firewalls. Is the idea to use both in case the firewall doesn't check for one? For example a firewall might be blocking SYN and FIN packets but due to misconfiguration could use an ACK scan?
Asked
Active
Viewed 618 times
2
-
“Permit tcp any any established” is common in stateless router ACL configurations. It lets ack tcp segments through (possibly allowing data exfiltration) but won’t let an attacker establish a tcp connection. A stateful firewall should block it. – Darrell Root Feb 29 '20 at 02:27
1 Answers
2
According to nmap.org, the ACK scan compared to FIN,PSH,URG,SYN:
[ACK] scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
Rather than using an ACK scan over a FIN scan, instead use a combination of scan types to glean extra information from a system.
For example a FIN scan may return the following:
22/tcp open|filtered ssh
And an ACK scan of the same host may return:
22/tcp unfiltered ssh
An ACK scan will return unfiltered for both open and closed ports on an unfiltered system.
If one scan type identifies a port as open or filtered and another identifies it as open or closed, logic dictates that it must be open.
Kyle Fennell
- 921
- 4
- 12