This is the ninth post detailing my notes on Nmap Network Scanning.
The TCP FIN, NULL and Xmas Tree Scans exploit a loophole in TCP RFC:
The TCP RFC says that if a closed port receives a packet that does not have the SYN, ACK, or RST flag set, the port should respond with an RST packet of its own. Furthermore, the RFC states that if the port is open and it receives a packet without a SYN, ACK or RST flag set the packet should be ignored.
[....]
Assuming the operating system of the target fully complies with the TCP RFC, Nmap is able to determine the port state without completing or even initiating a connection on the target system.
[….}
In general Xmas Tree scans and Null scans work against Unix and Linux machines but not Windows.
So, we expect an RST if the port is closed and no response if open. But that’s only if the target system complies fully with TCP RFC.
These scans can sneak through non-stateful firewalls and packet filtering routers; however, they can’t distinguish open from filtered ports as filters may simply drop banned probes without any response making the port appear open. We can switch on the version detection to help distinguish if open or filtered, as in the UDP scan, but this defeats the object of being stealthy.
NULL scan (-sN) no bits set, TCP flag header is 0
FIN scan (-sF)
Xmas Tree Scan (-sX) FIN, PSH and URG flag set; thus, “lit up like a Christmas tree”.
Here’s Xmas Tree Scan:
nmap -sX scanme.nmap.org
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-04 09:30 BST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.047s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
554/tcp open|filtered rtsp
7070/tcp open|filtered realserver
And here is an Xmas Tree Scan against the Windows portion of my Virtual Hacking Lab:
~# nmap -sX 192.168.1.79
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-04 09:32 BST
Nmap scan report for lab.home (192.168.1.79)
Host is up (0.0052s latency).
All 1000 scanned ports on lab.home (192.168.1.79) are closed
MAC Address: 00:0C:76:17:A4:17 (Micro-star International CO.)Nmap done: 1 IP address (1 host up) scanned in 13.17 seconds
As predicted above this scan was ineffectual against a Windows system. Every port replied with RST regardless; therefore, identified as “closed”. Compare this with a standard scan:
:~# nmap 192.168.1.79
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-04 09:35 BST
Nmap scan report for lab.home (192.168.1.79)
Host is up (0.13s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
912/tcp open apex-mesh
1025/tcp open NFS-or-IIS
1433/tcp open ms-sql-s
MAC Address: 00:0C:76:17:A4:17 (Micro-star International CO.)Nmap done: 1 IP address (1 host up) scanned in 2.14 seconds