1
00:00:00,300 --> 00:00:05,250
Up to now we have seen the most important scanning types to discover network.

2
00:00:05,400 --> 00:00:10,830
There are some other scanning techniques in Nmap which are not used as much as the others. But in some

3
00:00:10,830 --> 00:00:17,300
cases you may need to find some other ways to be able to discover the sensitive hosts in a network.

4
00:00:17,310 --> 00:00:20,230
In this slide we'll see 3 more scan types.

5
00:00:20,230 --> 00:00:26,500
NULL, FIN and XMAS scans. The common ground of these three scanning methods.

6
00:00:26,510 --> 00:00:26,990
NULL

7
00:00:27,040 --> 00:00:28,990
FIN and XMAS scans.

8
00:00:29,360 --> 00:00:38,170
is that they send packets to the target systems in which SYN, ACK and RST flags are not set.

9
00:00:38,970 --> 00:00:49,510
Null scan (-­sN) does not set any bits, i.e. TCP flag header is 0. FIN scan (sF) sets

10
00:00:49,540 --> 00:01:00,570
just the TCP FIN bit. Xmas scan (sX) sets the FIN, PSH, and URG flags, lighting the

11
00:01:00,570 --> 00:01:03,800
packet up like a Christmas tree.

12
00:01:03,820 --> 00:01:08,760
There are two rules defined in RFC standards about such packets:

13
00:01:08,790 --> 00:01:15,720
The first rule is, if the destination port state is CLOSED, an incoming segment not containing a RST

14
00:01:16,170 --> 00:01:19,440
causes a RST to be sent in response.

15
00:01:19,440 --> 00:01:28,540
The second rule is, packets sent to OPEN ports without the SYN, RST, or ACK bits set are dropped. These three scan

16
00:01:28,540 --> 00:01:35,060
types are exactly the same in behaviour except for the TCP flags set in probe packets..

17
00:01:36,130 --> 00:01:44,360
If a RST packet is received, the port is considered closed. While no response means it is open or filtered.

18
00:01:45,460 --> 00:01:54,540
If an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received,

19
00:01:55,360 --> 00:02:01,660
The port is marked as filtered. So as a result with these types of scans, you can find out if a port

20
00:02:01,660 --> 00:02:03,150
is closed or not.

21
00:02:03,220 --> 00:02:07,670
It's not possible to understand if it's open or filtered if there's no response.

22
00:02:07,780 --> 00:02:14,020
This scan is different than the others discussed so far in that it never determines open (or even open|filtered)

23
00:02:14,020 --> 00:02:15,160
ports.

24
00:02:16,050 --> 00:02:22,860
It's used to map out firewall rulesets determining whether they're stateful or not and which ports are

25
00:02:22,860 --> 00:02:31,200
The ACK scan probe packet has only the ACK flag set. When scanning unfiltered systems open and

26
00:02:31,200 --> 00:02:37,530
closed port will both return a RST packet Nmap then labels them as unfiltered meaning that they

27
00:02:37,530 --> 00:02:44,300
are reachable by the ACK packet. But whether they are open or closed is undetermined. Ports that don't

28
00:02:44,300 --> 00:02:47,870
respond or send certain ICMP error messages back.

29
00:02:47,870 --> 00:02:54,310
(type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered.