Skip to content

08. Nmap Inverse TCP Flag Scanning(FIN, XMAS & NULL)

Nmap Stealth Scan Techniques

  1. nmap -sX 192.168.1.1

    • Purpose: Runs an Xmas scan (Xmas tree packet scan).
    • How It Works:
      • Sends TCP packets with the FIN, PSH, and URG flags set.
      • Based on RFC 793, a closed port will respond with an RST packet, while an open port will ignore the packet.
    • Use Case: Evading firewalls and IDS (Intrusion Detection Systems), as it can bypass basic packet filtering.
    • Limitations: Not effective on modern systems like Windows, as they do not follow RFC 793 strictly and treat all such packets as closed.

    • nmap -sN 192.168.1.1

    • Purpose: Runs a Null scan.

    • How It Works:
      • Sends TCP packets with no flags set.
      • Similar to the Xmas scan, closed ports respond with an RST packet, and open ports do not respond.
    • Use Case: Another stealthy technique to bypass firewalls and IDS.
    • Limitations: Not effective on Windows systems, as they treat all such packets as closed.

    • nmap -sF 192.168.1.1

    • Purpose: Runs a FIN scan.

    • How It Works:
      • Sends TCP packets with only the FIN flag set.
      • Closed ports respond with an RST packet, and open ports remain silent.
    • Use Case: Stealthy alternative to Xmas and Null scans, effective for evading detection on non-Windows systems.
    • Limitations: Same limitations as other stealth scans; modern systems may not adhere to RFC 793 behavior.

    • nmap -sX 192.168.1.1 --reason

    • Purpose: Runs an Xmas scan and provides the reason for each result.

    • Effect: Displays why a port is considered open, closed, or filtered by showing the type of response received (e.g., RST, no response).
    • Use Case: Useful for understanding the scan results in greater detail, especially when troubleshooting or analyzing network behavior.

Key Takeaways

  • Xmas, Null, and FIN scans are stealth scanning methods designed to bypass basic firewalls and IDS by sending non-standard TCP packets.
  • These scans rely on how targets implement RFC 793 for handling unusual packets.
  • Modern operating systems (like Windows) may render these scans less effective, as they do not respond as expected to non-standard TCP packets.
  • Adding --reason helps in deeper analysis by explaining why a port is classified as open, closed, or filtered.