[End]Network Vulnerability and Scanning: Other NMAP Scans (NULL,FIN,XMAS,ACK,IDLE)

Photo by taner ardalı on Unsplash

There are some other scanning techniques in Nmap which are not used as much as the one mentioned in previous lessons. However in some cases, you may need to find some other ways to be able to discover the sensitive hosts in a network.

📜 In the figure above, there are three types of scans which is the null scan, fin scan and xmas scan. The common feature of these three scanning methods is that they send packets to the target systems in which SYN, ACK and RST flags are not set.

▶️ Null scan (-sN) does not set any bits. For instance, TCP flag header is 0.

▶️ Fin scan (-sF) sets just the TCP FIN bit.

▶️ Xmas scan (-sX) sets the FIN, PSH/Push , and URG flags lighting up the packet like a Christmas tree.

📁There are two rules defined in RFC standards about such packets:

How Nmap interprets responses to a NULL, FIN, or Xmas scan probe

These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. Responses are treated as shown in Figure above.

If the RST packet is received, the port is considered closed. While no response means that it is open or filtered. In addition, if an ICMP unreachable error is received, the port is marked as filtered. Thus, with the result from these types of scans, you can find out if a port is closed or not.

ACK Scan (-sA):

⭐️This scan is different than others discussed so far. It never determines open and open|filtered ports. It is used to map out firewall rule sets. This is done to determine whether the port are stateful or not and which ports are filtered.

How Nmap interprets responses to an ACK scan probe

⭐️The ACK scan probe packet has only ACK flag set.When scanning unfiltered systems, both open and closed port will return a RST packet. Nmap then labels them as unfiltered.

⭐️This mean that the ports are reachable by the ACK packet. However, whether they are open or closed is undetermined.

⭐️Ports that don’t respond or send certain ICMP error messages back are labeled as filtered.

In the figure above, the result illustrated that the state of port is unfiltered instead of normal scan that result in open, closed or filtered.

Idle Scan (-sL):

⚡️ Idle scan as an advance scan method/technique that allows for a truly blind TCP port scan of the target. Truly blind TCP port scan means that no packets are sent to the target from your real IP address.

⚡️ Instead, a unique side channel attack exploits the predictable IP fragmentation ID sequence generation on the zombie host. This is done to gather information about the open ports on the target.

⚡️ IDS systems will display the scan as coming from the zombie machine that you specified.

The idle scan is based on three facts:

  • As you already know, one way to determine whether TCP port is open or closed. The target machine will responded with a SYN/ACK packet if the port is open and RST if the port is closed.
  • A machine that receives unexpected SYN/ACK packet will responded with RST and an unexpected RST will be ignored.
  • Every IP packet on the internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send. Probing for the IP ID can tell an attacker how many packets have been sent since the last probe.

Open Port:

Let’s see what happen in an idle scan if the target port is open.


Concluded that port is open.

Closed Port:

Now let’s see what happen in an idle scan if the target port is closed.

Concluded that port is closed/not open.

Filtered Port:

Let’s see what happen in an idle scan if the target port is filtered.

Concluded that port is closed/not open. Form the attacker’s point of view, the filtered port is indistinguishable from a closed port. WHY ❓ in both cases the IP ID is increased only by one.

Let’s perform an idle scan:

In order to be able to perform an idle scan, we first need to have a zombie computer on the network which has incremental IP ID sequencing. Fortunately, we have an Nmap script to help us find the computer that is appropriate to become a zombie.

First let find the scripts that start with ipid with the command in figure above.

Use the script with the IP address block of our network. To keep it very simple, we will scan the top 2 ports. In the figure above, (target machine: Metasploitable) and is our Kali Linux machine. Both of this machine IP ID sequence is all zero. This two machine cannot be used as a zombie. In addition, the is the default gateway and it has incremental sequencing. It can be used as a zombie system.

Ps: if the ipidseq.nse is not working and have errors. Try to get the script from the official site: https://nmap.org/nsedoc/scripts/ipidseq.html

We will try to use the Kali Linux machine as zombie to scan our target machine Metasploitable. I know that this is unnecessary and have no meaning when we use the attacker machine as a zombie.

🌟However, I just want to show that the Idle scan (-sI) will not work when the IP ID sequence is all zeros. In addition, this scan will also never work when a randomized IP ID sequence is used.

Now, it is time to use system which has an incremental IP ID sequence class. Once again to keep it simple, I just scan the top 3 ports. The scans is completed successfully.

Let’s compare the SYN scan with the Idle Scan with same conditions. Port 23 and 80 are open in both scans. According to SYN scan, port 443 is closed. We also know that the idle scan is no able to distinguish between closed port and filtered port. Thus, Idle scan flagged the port 443 as closed or filtered.

Now, let’s run the last nmap query with reason option. As you can notice that port 23 and 80 are flagged as open because the IP ID has changed in the process. Whereas the IP ID sequence of the port 443 has not changed, then the port is flagged closed or filtered.

✌️I just finish the network vulnerability and scanning lesson in term of NMAP 🌼

Thanks for reading 😄

A Bachelor CS student with major in Network Security (UniSZa). Every stories I shared is based on my personal opinion. Thanks you. Having my Internship now.