A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Xmas scan with Nmap (Hacking Illustrated Series InfoSec Tutorial Videos)

Xmas scan with Nmap

        According to RFC 793, if a closed port gets a TCP packet without the SYN, RST, or ACK flag being set, it is suppose to respond with a RST packet. If the port is open, the TCP stack is suppose to just drop the packet without giving a response. Not all Operating Systems follow the RFC to the letter however, and these discrepancies allow for OS fingerprinting. I've covered OS fingerprinting in other videos (which I will link off to later), this video will just illustrates the point by showing off Nmap's XMAS scan option which sets only the FIN, PSH, and URG flags and nothing else. I'll also be using Zenmap, Ndiff and Wireshark to help you get the idea.


Fyodor's Docs on the subject

Basic Nmap Usage

Nmap Video Tutorial 2: Port Scan Boogaloo

NDiff: Comparing two Nmap 5 scans to find changes in your network

Nmap presentation for the ISSA in Louisville Kentucky

And the "poem":

Twas the night of my pen-test, and all though the net,
not a host was responding, with normal flags set.

My hacking was hung by this current affair,
in hopes that some port would maybe be there.

My net was all quite, not even netbios chatter,
I went to my docs, to see what was the matter.

Then from Fyodor I found my solution,
an XMAS scan may bring resolution.

Printable version of this article

15 most recent posts on Irongeek.com:

    If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

    Copyright 2019, IronGeek
    Louisville / Kentuckiana Information Security Enthusiast