• Irongeek Security
• Hacking Illustrated Videos
• InfoSec Articles
• Mobile Pen-testing Tools
• Apps/Scripts
• Reviews
• RSS
• Your IP
• Podcasts
• Hoosier Hackers
• Newscat
• Links
• Contact
• Forums
• Workout
• Nutrition
• Supplements
• Humor
• Irongeek Campuses
• Fed Watch
• Books
• Store
• About
• Follow @irongeek_adc

Xmas scan with Nmap

        According to RFC 793, if a closed port gets a TCP packet without the SYN, RST, or ACK flag being set, it is suppose to respond with a RST packet. If the port is open, the TCP stack is suppose to just drop the packet without giving a response. Not all Operating Systems follow the RFC to the letter however, and these discrepancies allow for OS fingerprinting. I've covered OS fingerprinting in other videos (which I will link off to later), this video will just illustrates the point by showing off Nmap's XMAS scan option which sets only the FIN, PSH, and URG flags and nothing else. I'll also be using Zenmap, Ndiff and Wireshark to help you get the idea.

Download:
http://blip.tv/file/get/Irongeek-xmas874.wmv

Fyodor's Docs on the subject
http://nmap.org/book/man-port-scanning-techniques.html

Basic Nmap Usage
http://www.irongeek.com/i.php?page=videos/nmap1

Nmap Video Tutorial 2: Port Scan Boogaloo
http://www.irongeek.com/i.php?page=videos/nmap2

NDiff: Comparing two Nmap 5 scans to find changes in your network
http://www.irongeek.com/i.php?page=videos/ndiff-nmap-5

Nmap presentation for the ISSA in Louisville Kentucky
http://www.irongeek.com/i.php?page=videos/nmap-louisville-issa
 

And the "poem":

Twas the night of my pen-test, and all though the net,
not a host was responding, with normal flags set.

My hacking was hung by this current affair,
in hopes that some port would maybe be there.

My net was all quite, not even netbios chatter,
I went to my docs, to see what was the matter.

Then from Fyodor I found my solution,
an XMAS scan may bring resolution.
 

Printable version of this article