Nmap : Xmas Scan,Idle Scan,Fin Scan,Null Scan

Raj Upadhyay
4 min readSep 1, 2020

--

In previous article we discuss about basics of Nmap. You can find previous article by Clicking Following Link : Let’s Recall : Nmap (Part-1)

Now let’s talk about different scan types in Nmap

Xmas Scan (-sX)

nmap -sX 192.168.0.1

It Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

Advantage of this scan is that it can sneak through non-stateful firewalls and packet filtering routers. Such firewalls try to prevent incoming TCP connections by blocking any TCP packets with the SYN bit set and ACK cleared. Linux iptables firewall command offers a special --syn option to implement it. Xmas scans clear the SYN bit and thus fly right through those rules.

This scan does work against most Unix-based systems.

Xmas Scan

As we can see in above picture when we send packet with FIN/PSH/URG flag to set and send it to destination if we don’t get any response from Destination we will know that Port is OPEN. if we get RST in return then we know that Port is Closed.

Fin Scan

nmap -sF 192.168.0.1

The FIN Scan will send a TCP segment with the FIN flag set. When we send this packet to destination that doesn’t already have establish session will drop it (means we will not get any response from destination) if we get RST flag from destination then we know that port is closed.

FIN Scan

Null Scan

nmap -sN 192.168.0.1

The Null Scan will send a TCP segment with no flags in the packet header. So this type of generated packets are illegal based on RFC 793.

Note : According to RFC 793 any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response.

Null Scan

So in Null Scan if a port is open then we will not get any response. In Null Scan no flags are set then target will not know how to handle the request. so target will discard the packet and no reply will be sent. If the port is closed, the target will send an RST packet in response.

Idle Scan

nmap -Pn -p- -sI 192.168.0.2 192.168.0.1

The idle scan takes advantage of incrementing IP identification numbers, and uses a zombie host with IP spoofing to derive port state. Zombie host should be silent in network ( meaning Zombie host should not talking with in the network, it should just seat there any listen)

Note : Linux machines are preferred as Zombie host. Because it does not make any noise in network. Windows machines talks netbios often and Mac talks multicast DNS. So Linux Systems are perfect candidate for Zombie Host

Idle Scan step-by-step

  1. Send SYN/ACK packet to zombie
  2. Receive RST and determine IP identification number
  3. Send spoofed SYN packet to target
  4. Target sends either SYN/ACK or RST to zombie
  5. Send SYN/ACK packet to zombie
  6. Receive RST and determine IP identification number
    → IP ID will increment by 2 if target port open
    → else port is closed/filtered

Idle Scan of an Open Port

The attacker sends a SYN/ACK to the zombie. The zombie, not expecting the SYN/ACK so sends RST, disclosing it’s IP ID

Idle scan : step 1

Attacker Forge a SYN packet from the zombie.The target sends a SYN/ACK in response to the SYN that appears to come from the zombie. The zombie, not expecting it, sends back a RST, incrementing it’s IP ID in the process.

idle scan : step — 2

Prob the zombie’s IP ID again.

Idle scan : step 3

The zombie’s IP ID has increased by 2 since step 1, so the port is open!

Thank you for reading this.

Nmap Cheatsheet Link : https://github.com/raj1997/cheatsheet/tree/master/Nmap

Reference : https://nmap.org/

--

--

Raj Upadhyay
Raj Upadhyay

Written by Raj Upadhyay

DFIR Consultant || #LoveToPlayCTF #infosec #cybersecurity #4n6

Responses (1)