The Null Scan (-sN)
The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world.


If the port is closed, a RST frame should be returned:

sN_scan_closed
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.7]  TCP: D=438 S=36860     WIN=4096
[192.168.0.7]  [192.168.0.8]  TCP: D=36860 S=438 RST ACK=2135565682 WIN=0
As expected, the response of a null scan to an open port results in no response:

sN_scan_open
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.7]  TCP: D=110 S=36860     WIN=1024
The null scan showed the same results as the FIN scan and the Xmas tree scan:
# nmap -sN -v 192.168.0.7

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-23 21:19 EDT
Initiating NULL Scan against 192.168.0.7 [1663 ports] at 21:19
The NULL Scan took 1.42s to scan 1663 total ports.
Host 192.168.0.7 appears to be up ... good.
Interesting ports on 192.168.0.7:
(The 1654 ports scanned but not shown below are in state: closed)
PORT     STATE         SERVICE
21/tcp   open|filtered ftp
22/tcp   open|filtered ssh
23/tcp   open|filtered telnet
79/tcp   open|filtered finger
110/tcp  open|filtered pop3
111/tcp  open|filtered rpcbind
514/tcp  open|filtered shell
886/tcp  open|filtered unknown
2049/tcp open|filtered nfs
MAC Address: 00:03:47:6D:28:D7 (Intel)

Nmap finished: 1 IP address (1 host up) scanned in 2.251 seconds
               Raw packets sent: 1674 (66.9KB) | Rcvd: 1655 (76.1KB)
#