NMAP (Part 3): Other Port Scanning Types

This article is part of a series. Check out the full series: Part 1: Port Scanning Responses, Part 2: Basic Port Scanning Types, Part 3: Other Port Scanning Types, Part 4: Network Scanning, Part 5: Firewall Evasion Options and Part 6: NSE Scripts!

We have talked about the basic port scanning types for -sS, -sT and -sU in the previous blog.

Now, NMAP also provides less commonly used port scanning types like NULL, FIN and Xmas TCP port scans.

These scans are useful to evade firewalls as many firewalls are configured to drop incoming TCP packets that have SYN flags set.

NULL Scans (-sN)

→ TCP request is sent with no flags set at all.

FIN Scans (-sF)

→ TCP request is sent with FIN flags.

XMas Scans (-sX)

→ TCP request is sent with malformed TCP packet that sets PSH, URG and FIN flags as on.

Again, these scans are very similar to UDP scans so you should only expect open|filtered (no response received from the host) or closed state (RST TCP packet received from the host).

It’s also worth noting that RFC 793 mandates the network hosts to respond to these scans with RST TCP packets for closed ports and don’t respond at all for open ports. But, for Microsoft Windows and CISCO devices, they are known to respond with a RST TCP packet no matter the port is actually open or not. This results in all ports showing up as being closed.