A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Xmas scan with Nmap (Hacking Illustrated Series InfoSec Tutorial Videos)

Xmas scan with Nmap


        According to RFC 793, if a closed port gets a TCP packet without the SYN, RST, or ACK flag being set, it is suppose to respond with a RST packet. If the port is open, the TCP stack is suppose to just drop the packet without giving a response. Not all Operating Systems follow the RFC to the letter however, and these discrepancies allow for OS fingerprinting. I've covered OS fingerprinting in other videos (which I will link off to later), this video will just illustrates the point by showing off Nmap's XMAS scan option which sets only the FIN, PSH, and URG flags and nothing else. I'll also be using Zenmap, Ndiff and Wireshark to help you get the idea.


Download:
http://blip.tv/file/get/Irongeek-xmas874.wmv


Fyodor's Docs on the subject
http://nmap.org/book/man-port-scanning-techniques.html

Basic Nmap Usage
http://www.irongeek.com/i.php?page=videos/nmap1

Nmap Video Tutorial 2: Port Scan Boogaloo
http://www.irongeek.com/i.php?page=videos/nmap2

NDiff: Comparing two Nmap 5 scans to find changes in your network
http://www.irongeek.com/i.php?page=videos/ndiff-nmap-5

Nmap presentation for the ISSA in Louisville Kentucky
http://www.irongeek.com/i.php?page=videos/nmap-louisville-issa
 

And the "poem":

Twas the night of my pen-test, and all though the net,
not a host was responding, with normal flags set.

My hacking was hung by this current affair,
in hopes that some port would maybe be there.

My net was all quite, not even netbios chatter,
I went to my docs, to see what was the matter.

Then from Fyodor I found my solution,
an XMAS scan may bring resolution.
 

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast