Advantages of the FIN, Xmas Tree, and Null Scan
Since no TCP sessions are created for any of these scans, they are remarkably quiet from the perspective of the remote device's applications. Therefore, none of these scans should appear in any of the application logs.


These scans are also some of the most minimal port-level scans that nmap can execute. For a closed port, only two packets are transferred. A single frame is all that's necessary to find an open port!


Disadvantages of the FIN, Xmas Tree, and Null Scan
Unfortunately, Microsoft's implementation of the TCP/IP stack renders these particular scans less that useful. On a Windows-based computer, all ports will appear to be closed regardless of their actual state. This provides a backhanded advantage, since any device showing open ports must not be a Windows-based device!

These scan types are using packets that do not follow the rules of TCP. To create these specialized packets, the raw sockets capability of the operating system builds the packets from scratch. This avoids the operating system requirements that are usually forced on IP communication, but it also requires that the user running these nmap scans have privileged access to the system.


clock
Some operating systems limit the number of RST packets sent to a single station, and these limits can cause nmap to incorrectly assume that the port is open. I had to disable the ICMP rate limiting on my FreeBSD system to create the examples shown in this document. Disabling rate limiting shouldn't be done in normal use! More information about rate limiting can be found in the FreeBSD FAQ:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/networking.html#ICMP-RESPONSE-BW-LIMIT



When to use the FIN, Xmas Tree, and Null Scan
Although TCP SYN scans are relatively subtle, the FIN, Xmas tree, and null scans are even more invisible on the network. They don't show up in application log files, they take little network bandwidth, and they provide extensive port information on non-Windows based systems. If the scanned device is susceptible to these odd TCP packets, information can be gathered with only a whisper of network communication!