The nmap (Network Mapper) is the network manager that is utilized to find out the information on the computer’s ports. The Xmas scan means to find out if the ports are open or closed in the target machine by using the TCP Xmas.
This post will address the Nmap Xmas Scan tutorial on Linux with the following outcomes:
- What is the Nmap Xmas Scan in Linux?
- Outcomes of Nmap Xmas Scan
- Time Templates Nmap Xmas Scan
- Nmap Xmas Scan
- Null Scan
- FIN Scan
What is the Nmap Xmas Scan in Linux?
Three types of scans are used to check the ports of the target machine are opened or closed. These scans are mentioned below in the table:
| Scans | Flags | Explanation |
|---|---|---|
| Null Scan | -sN | This scan will not set any bits, which means that the TCP header is 0. |
| FIN Scan | -sF | This scan will set only the FIN bits of the TCP. |
| Xmas Scan | -sX | This scan will set the FIN, PSH, and URG flags. |
Outcomes of Xmas Scan
Referring to the Xmas scan, there are three possible outcomes:
| Open | This means no response is received from the target machine. |
| Closed | This means that the target machine’s port is closed. |
| Filtered | This means the port is protected by some filters of ICMP. |
Time Templates
After this, the timing templates option of the Xmax scan is necessary to learn. The Time Templates are six different levels used to show the behavior of the scan. These timing templates are
| Timing Template | Explanation |
| Paranoid (T0) | This is the slowest scan of the Xsmax |
| Sneaky (T1) | This is also the slowest scan. Still, more aggressive than the paranoid |
| Polite (T2) | This is neither slow nor fast scan |
| Normal (T3) | This is the default set timing template for the Xmas scan |
| Aggressive (T4) | This is the fast Xmas scan |
| Insane (T5) | This is fastest Xmas scan |
Example 1: Nmap Xmas Scan
Use the aggressive Xmas scan for the target machine whose address is “192.168.157.139” and display the progress using the “sX” option:
$ sudo nmap -sX 192.168.157.139
In the output, we can see that the 999 ports are closed. Only one 22/tcp port is open at the target machine.
Example 2: Null Scan
This type of Nmap Xmas Scan sets no flags in the TCP header, which can be used to determine if the target system is filtering incoming traffic. For instance, specify the address “192.168.157.139” for scanning the port:
$ sudo nmap -sN 192.168.157.139
The output shows that a null scan has been done.
Example 3: FIN Scan
This type of Nmap Xmas Scan sets only the FIN flag in the TCP header, which can be used to identify open ports on the target system:
$ sudo nmap -sF 192.168.157.139
The output shows that only one “22/tcp” port is open at the target machine.
Conclusion
The Xmax scan can be performed using the nmap command. This scan displays the status of the ports of the target machine. The status of the ports can be closed, open, or filtered. This blog explains the Xmas scan using the nmap command in Linux with the help of different examples.
