Nmap: NULL, FIN and Xmas.

-

 NULL Scan:

  • A NULL scan is a stealthy scanning technique where Nmap sends TCP packets with no TCP flag set (hence the name "NULL"). Normally, TCP packets have flags like SYN, ACK, PSH, RST, and FIN set in various combinations.

  • In a NULL scan, if the target host's TCP stack is RFC-compliant, it should respond with a TCP RST (reset) packet for a closed port and ignore the packet for an open port.

  • The NULL scan is useful for identifying open ports when traditional scanning methods may be detected or blocked by a firewall or intrusion detection system (IDS).

FIN Scan:

  • A FIN scan is another stealthy scanning technique that involves sending TCP packets with only the FIN (Finish) flag set.

  • Similar to the NULL scan, if a port is closed, the target system should respond with a TCP RST packet. If the port is open, it should ignore the packet.

  • The FIN scan can be used to probe for open ports without making a lot of noise, making it useful for evading network monitoring or firewall rules.

Xmas Scan:

  • An Xmas scan is a variant of the FIN scan where Nmap sends TCP packets with the FIN, URG (Urgent), and PSH (Push) flags set, resembling the blinking lights of a Christmas tree, hence the name "Xmas."

  • Like the NULL and FIN scans, the Xmas scan relies on the target system's behavior. Closed ports should respond with a TCP RST packet, while open ports should generally ignore the packet.

  • The Xmas scan can help identify open ports discreetly, similar to the NULL and FIN scans.
------------------------------------------------------------------------------------------------------------------------
It's important to note that the effectiveness of these scans can vary depending on the target system's TCP stack implementation and the presence of firewalls or IDSs. 

Some systems may not respond as expected to these unusual flag combinations, potentially leading to false results. 

Additionally, because these scans are designed to be stealthy, they may not provide as much information as other Nmap scan types, such as SYN scans or TCP Connect scans, which are more commonly used for comprehensive network reconnaissance.
------------------------------------------------------------------------------------------------------------------------
Question 1: Which of the three shown scan types uses the URG flag?
Answer: xmas

Question 2: Why are NULL, FIN and Xmas scans generally used?
Answer: Firewall Evasion 

Question 3: Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Answer: Microsoft Windows

------------------------------------------------------------------------------------------------------------------------
Thanks for reading. 

Roger - Ozz961.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Common Network Commands: Route

-
Route Command Overview The route command is a part of the older net-tools package used in Linux systems for viewing and manipulating the IP routing table. It provides information about how packets are routed through the network and allows for the addition, deletion, and modification of routes. Origin and Development Historically, the route command has been a primary tool for managing network routing in Linux. However, it has largely been replaced by the ip command from the iproute2 package, which offers more advanced features and capabilities. Despite this, route is still commonly used in many Linux distributions for its simplicity and familiarity. Basic Functionality The route command serves several functions: - Displays the current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Display Routing Table:    ```    route -n    ``` ...
Read more