You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap
Like the online e-book? You'll love the downloadable version! Buy it here!The Xmas Tree Scan (-sX)
The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.
A closed port responds to a Xmas tree scan with a RST:
Source Destination Summary -------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.7] TCP: D=618 S=36793 FIN URG PUSH SEQ=3378228596 LEN=0 WIN=1024 [192.168.0.7] [192.168.0.8] TCP: D=36793 S=618 RST ACK=3378228596 WIN=0Similar to the FIN scan, an open port on a remote station is conspicuous by its silence:
Source Destination Summary -------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.7] TCP: D=79 S=36793 FIN URG PUSH SEQ=3378228596 LEN=0 WIN=2048The Xmas tree scan output shows similar results to the FIN scan:
# nmap -sX -v 192.168.0.7
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-23 21:18 EDT
Initiating XMAS Scan against 192.168.0.7 [1663 ports] at 21:18
The XMAS Scan took 1.55s to scan 1663 total ports.
Host 192.168.0.7 appears to be up ... good.
Interesting ports on 192.168.0.7:
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
23/tcp open|filtered telnet
79/tcp open|filtered finger
110/tcp open|filtered pop3
111/tcp open|filtered rpcbind
514/tcp open|filtered shell
886/tcp open|filtered unknown
2049/tcp open|filtered nfs
MAC Address: 00:03:47:6D:28:D7 (Intel)
Nmap finished: 1 IP address (1 host up) scanned in 2.432 seconds
Raw packets sent: 1674 (66.9KB) | Rcvd: 1655 (76.1KB)
#