The Xmas Tree Scan (-sX)
The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.

A closed port responds to a Xmas tree scan with a RST:

Source          Destination     Summary 
[]  []  TCP: D=618 S=36793 FIN URG PUSH SEQ=3378228596 LEN=0 WIN=1024
[]  []  TCP: D=36793 S=618 RST ACK=3378228596 WIN=0
Similar to the FIN scan, an open port on a remote station is conspicuous by its silence:

Source          Destination    Summary 
[] []  TCP: D=79 S=36793 FIN URG PUSH SEQ=3378228596 LEN=0 WIN=2048
The Xmas tree scan output shows similar results to the FIN scan:
# nmap -sX -v

Starting nmap 3.81 ( ) at 2005-04-23 21:18 EDT
Initiating XMAS Scan against [1663 ports] at 21:18
The XMAS Scan took 1.55s to scan 1663 total ports.
Host appears to be up ... good.
Interesting ports on
(The 1654 ports scanned but not shown below are in state: closed)
21/tcp   open|filtered ftp
22/tcp   open|filtered ssh
23/tcp   open|filtered telnet
79/tcp   open|filtered finger
110/tcp  open|filtered pop3
111/tcp  open|filtered rpcbind
514/tcp  open|filtered shell
886/tcp  open|filtered unknown
2049/tcp open|filtered nfs
MAC Address: 00:03:47:6D:28:D7 (Intel)

Nmap finished: 1 IP address (1 host up) scanned in 2.432 seconds
               Raw packets sent: 1674 (66.9KB) | Rcvd: 1655 (76.1KB)