January 5th, 2005, 11:19 PM
Picked up a new entry in my firewall log today that I've never seen before. I'm sure all you guys know of this but it's new on me: an XMas scan.
So what's this all about? Is this something I need be concerned about, or just more of the usual auto scanning going on out there in the wild?
Stealth scanning is used by intruders to discover what ports are listening on a machine without being detected. A TCP FIN, or Stealth FIN, scan will send a FIN packet to each port. A Xmas Tree scan uses packets with the FIN, URG, and PUSH flags set.
January 5th, 2005, 11:30 PM
It's a more "sophisticated" scan but it's still just a scan..... I see them fairly often but the firewall blocks them..... Is your firewall stateful? If it is then the packets will be denied anyway because they don't "fit" a "normal" TCP/IP session....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
January 5th, 2005, 11:37 PM
Interesting...it's new to me. Sounds like an inventive way to overcome some scanning hurdles. Nothing major, just a little hack someone came up with at some point...like the SYN/FIN probe.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
January 6th, 2005, 12:09 AM
It's called a "Xmas" scan because, in technical terms, it
"lights up the flags like a Christmas tree". That's to say, it turns ALL the bits on, including ones which are normally mutually exclusive (such as SYN and RST)
It's not terribly useful as a scan, except for OS identification. Some OSs don't respond to XMAS scans (win32 for instance, I think ignores them). Other OSs respond with a RST if the port is closed, not otherwise. Or something. Nmap knows what to do with them, and may use them in OS identification (you can explicitly do XMAS scans too)
January 6th, 2005, 01:32 AM
I`ve used them a couple of times in testing and Slarty you are correct in their behaviour. Although if you picked it up in your firewall logs and its been running against a number of ports then most likely its a skiddie.
I can`t see there be any risk posed by it if your firewalls are configured correctly, other then some assistance during the information gathering process.
Quis custodiet ipsos custodes
January 6th, 2005, 03:31 AM
Here is some good info from the man pages of nmap:
-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes: There are times when
even SYN scanning isn’t clandestine enough. Some firewalls and
packet filters watch for SYNs to restricted ports, and programs
like Synlogger and Courtney are available to detect these scans.
These advanced scans, on the other hand, may be able to pass
The idea is that closed ports are required to reply to your
probe packet with an RST, while open ports must ignore the pack-
ets in question (see RFC 793 pp 64). Filered ports also tend to
drop probes without a response, so Nmap considers ports
"open|filtered" when it fails to elicit any response. If you
add version detection (-sV), it will try to verify whether the
ports are actually open and change the state as appropriate.
The FIN scan uses a bare (surprise) FIN packet as the probe,
while the Xmas tree scan turns on the FIN, URG, and PUSH flags.
The Null scan turns off all flags. Unfortunately Microsoft
(like usual) decided to completely ignore the standard and do
things their own way. Thus this scan type will not work against
systems running Windows95/NT. On the positive side, this is a
good way to distinguish between the two platforms. If the scan
finds open ports, you know the machine is not a Windows box. If
a -sF,-sX,or -sN scan shows all ports closed, yet a SYN (-sS)
scan shows ports being opened, you are probably looking at a
Windows box. This is less useful now that nmap has proper OS
detection built in. There are also a few other systems that are
broken in the same way Windows is. They include Cisco, BSDI,
HP/UX, MVS, and IRIX. All of the above send resets from the
open ports when they should just drop the packet.
And here is some more from another source, good reading :
FIN (-sF), NULL (-sN) and XMAS (-sX) scans are all similar. They all rely
on RFC-compliance and as such don't work against boxes like Win95/98/NT or
IRIX. They also work by getting either a RST back (closed port) or a
dropped packet (open port). Of course, the other situation where you
might get back a dropped packet is if you've got a packet filter blocking
access to that port. In that case you will get back a ton of false open
ports. A few years back these kinds of scans might have been stealthy and
undetectable. These days they probably aren't.
There is a ton of good reading on scanning methods located here:
\"Common Sense, isn\'t that common\"
\"It is a lot easier to raise a child then it is to repair an adult\"