Users login

Create an account »


Users login

Home » Hacking News » Norton Personal Firewall 2002 vulnerable to SYN/FIN scan

Norton Personal Firewall 2002 vulnerable to SYN/FIN scan

by Nikola Strahija on April 17th, 2002 Norton Personal Firewall 2002 on Windows 2000 is vulnerable to SYN/FIN scan (SYN/FIN/URG, SYN/FIN/PUSH, SYN/FIN/URG/PUSH are not detected as well) also if you activate "detect portscan".

The windows machine answers the same way with or without NPF.
open TCP port answer (hping output):
len=46 ip=a.b.c.d sport=135 flags=SA DF seq=5 ttl=128 id=112 win=16616 rtt=0.8 ms
close TCP port answer (hping output):
len=46 ip=a.b.c.d sport=136 flags=RA seq=6 ttl=128 id=113 win=0 rtt=0.6 ms

This way, you can check which ports are listening and you don't get blacklisted. When NPF detects a port scan, it filters all packets from the source IP for the next 30 mins.After some tests NPF stops ONLY SYN packets FROM the blacklisted IP. This means that you can STILL perform a SYN/FIN scan while blacklisted and also that you can go on with an established connection from a blacklisted IP. You just can't start a new connection FROM the blacklisted machine (but you can start it from the "protected" PC).
Moreover, since you can't change the 30 mins default blacklist time, this can help a lot in fingerprinting Norton Personal Firewall making your IP blacklisted and then trying to send again SYN packets on an open port after 30 mins.

Vendor URL:
You can visit the vendors webpage here:

Vendor response:
The vendor was contacted on the 5th of April, 2002 using a web form at
No reply so far.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »