The Xmas Tree Scan (-sX)
The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.


A closed port responds to a Xmas tree scan with a RST:

Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.7]  TCP: D=618 S=36793 FIN URG PUSH SEQ=3378228596 LEN=0 WIN=1024
[192.168.0.7]  [192.168.0.8]  TCP: D=36793 S=618 RST ACK=3378228596 WIN=0
Similar to the FIN scan, an open port on a remote station is conspicuous by its silence:

Source          Destination    Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7]  TCP: D=79 S=36793 FIN URG PUSH SEQ=3378228596 LEN=0 WIN=2048
The Xmas tree scan output shows similar results to the FIN scan:
# nmap -sX -v 192.168.0.7

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-23 21:18 EDT
Initiating XMAS Scan against 192.168.0.7 [1663 ports] at 21:18
The XMAS Scan took 1.55s to scan 1663 total ports.
Host 192.168.0.7 appears to be up ... good.
Interesting ports on 192.168.0.7:
(The 1654 ports scanned but not shown below are in state: closed)
PORT     STATE         SERVICE
21/tcp   open|filtered ftp
22/tcp   open|filtered ssh
23/tcp   open|filtered telnet
79/tcp   open|filtered finger
110/tcp  open|filtered pop3
111/tcp  open|filtered rpcbind
514/tcp  open|filtered shell
886/tcp  open|filtered unknown
2049/tcp open|filtered nfs
MAC Address: 00:03:47:6D:28:D7 (Intel)

Nmap finished: 1 IP address (1 host up) scanned in 2.432 seconds
               Raw packets sent: 1674 (66.9KB) | Rcvd: 1655 (76.1KB)
#