You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap
Like the online e-book? You'll love the downloadable version! Buy it here!Steath Scanning - The FIN Scan (-sF), Xmas Tree Scan (-sX), and Null Scan (-sN)
Requires Privileged Access: YES
Identifies TCP Ports: YES
Identifies UDP Ports: NO
These three scans are grouped together because their individual functionality is very similar. These are called "stealth" scans because they send a single frame to a TCP port without any TCP handshaking or additional packet transfers. This is a scan type that sends a single frame with the expectation of a single response.
These scans operate by manipulating the bits of the TCP header to induce a response from the remote station. Except for the FIN scan, nmap creates TCP headers that combine bit options that should never occur in the real world. Instead of an obscure bit pattern, the FIN scan creates a scenario that should never occur in the real world. These purposely-mangled TCP header packets are thrown at a remote device, and nmap watches for the responses.
One of the references in RFC 793, Transmission Control Protocol, states that stations receiving information on a closed TCP port should send a RST frame and an available TCP port should not respond at all. During any of these stealth scans, nmap categorizes the responses as either closed, or open|filtered (In computer-speak, a vertical bar between values generally signifies an "or" condition). The open|filtered result is combined because firewalls often drop these frames without a response. Because it's impossible to determine if a missing response was due to an open port or a filtered network connection, there's no way to differentiate between an open port and an administratively dropped frame.
Because these scans create unusual bit combinations in TCP headers, these packets must be built by nmap using the raw sockets functionality of the operating system. Because of these "customized" packets, nmap requires privileged access to perform stealth scans.
FIN, Xmas Tree, and Null Scan Operation
In the following examples, the graphical descriptions and trace files for the open and closed ports will look functionally identical, except that the bits in the TCP flags will be different in each scan type.
FIN Scan
The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking. If a TCP session isn't active, the session certainly can't be formally closed!
In this FIN scan, TCP port 443 is closed so the remote station sends a RST frame response to the FIN packet:
Source Destination Summary ---------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.7] TCP: D=443 S=62178 FIN SEQ=3532094343 LEN=0 WIN=2048 [192.168.0.7] [192.168.0.8] TCP: D=62178 S=443 RST ACK=3532094343 WIN=0If a port is open on a remote device, no response is received to the FIN scan:
Source Destination Summary -------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.7] TCP: D=23 S=62178 FIN SEQ=3532094343 LEN=0 WIN=2048The nmap output shows the open ports located with the FIN scan:
# nmap -sF -v 192.168.0.7
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-23 21:17 EDT
Initiating FIN Scan against 192.168.0.7 [1663 ports] at 21:17
The FIN Scan took 1.51s to scan 1663 total ports.
Host 192.168.0.7 appears to be up ... good.
Interesting ports on 192.168.0.7:
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
23/tcp open|filtered telnet
79/tcp open|filtered finger
110/tcp open|filtered pop3
111/tcp open|filtered rpcbind
514/tcp open|filtered shell
886/tcp open|filtered unknown
2049/tcp open|filtered nfs
MAC Address: 00:03:47:6D:28:D7 (Intel)
Nmap finished: 1 IP address (1 host up) scanned in 2.276 seconds
Raw packets sent: 1674 (66.9KB) | Rcvd: 1655 (76.1KB)
#