USING NMAP TO PERFORM NULL SCANS: Null scans, Xmas tree scans, are probes made with packets that violate traditional TCP communication.
In many ways, the null scan is the exact opposite of a Xmas tree scan because the null scan utilizes packets that are devoid of any flags (completely empty).
Target system will respond to null scans in the exact same way they respond to Xmas tree scans, Specifically, an open port on the target system will send no response back to Nmap,
Whereas a closed port will respond with an RST packet it is important to remember that these scans are only reliable for operating systems that comply 100% with the TCP RFC.
USING NMAP TO PERFORM NULL SCANS
One of the main advantage of running Xmas tree and null scans is that in some cases, you are able to bypass simple filters and access control lists. Some of these primitive filters work by blocking inbound SYN packets. The thought with this type of filter is that by preventing the SYN packet from entering the system,
It is not possible for the three-way handshake to occur. If the three-way handshake does not occur, there can be no TCP communication can be originated from outside of the filter.
It is important to understand that neither the Xmas tree nor the null scans seek to establish any type of communication channel. The whole goal of these scans is to determine if a port is open or closed.
With the previous two paragraphs in mind, consider the following example.
Assume that our Network Admin Ben Owned puts a simple firewall in front of his system to prevent anyone outside of his network from connecting to the system.
The firewall works by simply dropping any external communications that begin with an SYN packet. Ben hires his buddy, the ethical hacker, to scan his system.
The Ethical Hacker’s initial TCP connect scan show nothing. However, being a seasoned penetration tester, the ethical hacker follows up his initial scan with UDP, Xmas tree, and null scans. The ethical hacker smiles when he discovers that both his Xmas tree scans reveal open ports on Ben’s system.
This scenario is possible because Nmap creates packets without the SYN flag set. Because the filter is only dropping incoming packets with the SYN flag, the Xmas tree and null packets are allowed through. To run a null scan, we issue the following command in a terminal.
Nmap -sN -p- -Pn 192.168.18.132
If you have any question regarding Using Nmap to Perform Null Scan let us know so we can answer you with your question. Click Here To Ask
By Patrick Engebretson | SYNGRESS | USING NMAP TO PERFORM NULL SCANS