Results 1 to 6 of 6

Thread: XMas Scan?

  1. #1

    Question XMas Scan?

    Picked up a new entry in my firewall log today that I've never seen before. I'm sure all you guys know of this but it's new on me: an XMas scan.

    Stealth scanning is used by intruders to discover what ports are listening on a machine without being detected. A TCP FIN, or Stealth FIN, scan will send a FIN packet to each port. A Xmas Tree scan uses packets with the FIN, URG, and PUSH flags set.
    So what's this all about? Is this something I need be concerned about, or just more of the usual auto scanning going on out there in the wild?

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    It's a more "sophisticated" scan but it's still just a scan..... I see them fairly often but the firewall blocks them..... Is your firewall stateful? If it is then the packets will be denied anyway because they don't "fit" a "normal" TCP/IP session....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    AO Senior Cow-beller
    zencoder's Avatar
    Join Date
    Dec 2004
    Mountain standard tribe.

    Interesting...it's new to me. Sounds like an inventive way to overcome some scanning hurdles. Nothing major, just a little hack someone came up with at some point...like the SYN/FIN probe.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #4
    Senior Member
    Join Date
    Jan 2002
    It's called a "Xmas" scan because, in technical terms, it

    "lights up the flags like a Christmas tree". That's to say, it turns ALL the bits on, including ones which are normally mutually exclusive (such as SYN and RST)

    It's not terribly useful as a scan, except for OS identification. Some OSs don't respond to XMAS scans (win32 for instance, I think ignores them). Other OSs respond with a RST if the port is closed, not otherwise. Or something. Nmap knows what to do with them, and may use them in OS identification (you can explicitly do XMAS scans too)


  5. #5
    Senior Member
    Join Date
    Oct 2002
    I`ve used them a couple of times in testing and Slarty you are correct in their behaviour. Although if you picked it up in your firewall logs and its been running against a number of ports then most likely its a skiddie.

    I can`t see there be any risk posed by it if your firewalls are configured correctly, other then some assistance during the information gathering process.
    Quis custodiet ipsos custodes

  6. #6
    Senior Member
    Join Date
    Sep 2003
    Here is some good info from the man pages of nmap:
    -sF -sX -sN
    Stealth FIN, Xmas Tree, or Null scan modes: There are times when
    even SYN scanning isn’t clandestine enough. Some firewalls and
    packet filters watch for SYNs to restricted ports, and programs
    like Synlogger and Courtney are available to detect these scans.
    These advanced scans, on the other hand, may be able to pass
    through unmolested.

    The idea is that closed ports are required to reply to your
    probe packet with an RST, while open ports must ignore the pack-
    ets in question (see RFC 793 pp 64). Filered ports also tend to
    drop probes without a response, so Nmap considers ports
    "open|filtered" when it fails to elicit any response. If you
    add version detection (-sV), it will try to verify whether the
    ports are actually open and change the state as appropriate.
    The FIN scan uses a bare (surprise) FIN packet as the probe,
    while the Xmas tree scan turns on the FIN, URG, and PUSH flags.
    The Null scan turns off all flags. Unfortunately Microsoft
    (like usual) decided to completely ignore the standard and do
    things their own way. Thus this scan type will not work against
    systems running Windows95/NT. On the positive side, this is a
    good way to distinguish between the two platforms. If the scan
    finds open ports, you know the machine is not a Windows box. If
    a -sF,-sX,or -sN scan shows all ports closed, yet a SYN (-sS)
    scan shows ports being opened, you are probably looking at a
    Windows box. This is less useful now that nmap has proper OS
    detection built in. There are also a few other systems that are
    broken in the same way Windows is. They include Cisco, BSDI,
    HP/UX, MVS, and IRIX. All of the above send resets from the
    open ports when they should just drop the packet.

    And here is some more from another source, good reading :

    FIN (-sF), NULL (-sN) and XMAS (-sX) scans are all similar. They all rely
    on RFC-compliance and as such don't work against boxes like Win95/98/NT or
    IRIX. They also work by getting either a RST back (closed port) or a
    dropped packet (open port). Of course, the other situation where you
    might get back a dropped packet is if you've got a packet filter blocking
    access to that port. In that case you will get back a ton of false open
    ports. A few years back these kinds of scans might have been stealthy and
    undetectable. These days they probably aren't.

    There is a ton of good reading on scanning methods located here:

    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts