-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes: There are times when
even SYN scanning isn't clandestine enough. Some firewalls and
packet filters watch for SYNs to restricted ports, and programs
like Synlogger and Courtney are available to detect these scans.
These advanced scans, on the other hand, may be able to pass
The idea is that closed ports are required to reply to your
probe packet with an RST, while open ports must ignore the pack-
ets in question (see RFC 793 pp 64).
The FIN scan uses a bare
(surprise) FIN packet as the probe, while the Xmas tree scan
turns on the FIN, URG, and PUSH flags. The Null scan turns off
all flags. Unfortunately Microsoft (like usual) decided to com-
pletely ignore the standard and do things their own way. Thus
this scan type will not work against systems running Win-
dows95/NT. On the positive side, this is a good way to distin-
guish between the two platforms. If the scan finds open ports,
you know the machine is not a Windows box. If a -sF,-sX,or -sN
scan shows all ports closed, yet a SYN (-sS) scan shows ports
being opened, you are probably looking at a Windows box. This
is less useful now that nmap has proper OS detection built in.
There are also a few other systems that are broken in the same
way Windows is. They include Cisco, BSDI, HP/UX, MVS, and IRIX.
All of the above send resets from the open ports when they
should just drop the packet.