XMAS SCAN: In the computer world, a request for comments (RFC) is a document that contains either notes or the technical specifications covering a given technology or standard.
RFCs can provide us with a tremendous amount of details about the inner workings of a particular system. Because RFCs describe the technical details of how a system should work, attackers and hacker will often review RFCs looking for potential weaknesses or loopholes described in the documentation.
Xmas tree scan and null scan exploit just such a loophole.
Xmas tree scans get their name from the fact that the FIN, PSH, and URG packet flags are set to “on”; as a result, the packet has so many flags turned on and the packet is often described as being “lit up like a Christmas tree”.
Given what we already know about TCP communications and the three-way handshake, it should be clear that a Xmas tree packet is highly unusual because neither the SYN nor ACK flags are set.
However, this unusual packet has a purpose. If the system we are scanning has followed the TCP RFC implementation, we can send one of these unusual packets to determine the current state of the port.
The TCP RFC says that if a closed port receives a packet that does not have an SYN, ACK, or RST flag set (i.e. the type of packet that is created from an Xmas tree scan), the port should respond with an RST packet of its own.
Furthermore, the RFC states that if the port is open and it receives a packet without an SYN, ACK, or RST flag set, the packet should be ignored.
Take a moment to reread the last two sentences, as they are critical to understanding the response we get from these scans.
Assuming the operating system of the target fully complies with the TCP RFC, Nmap is able to determine the port state without completing or even initiating a connection on the target system.
The word “assuming” was used because not every operating system on the market today is fully RFC complaint.
In general, the Xmas tree and null scans work against Unix and Linux machines but not Windows.
As a result, Xmas tree and null scans are rather ineffective against Microsoft targets.
To execute an Xmas tree scan, we simply replace the “-sU” switch from out last example with an “-sX”. To run the full scan in the terminal, we would enter
Nmap –sX –p- -Pn 192.168.18.132
Below shows the command and output of a Xmas tree scan against out Linux target.