Nmap Xmas Scan

The nmap (Network Mapper) is the network manager that is utilized to find out the information on the computer’s ports. The Xmas scan means to find out if the ports are open or closed in the target machine by using the TCP Xmas. 

This post will address the Nmap Xmas Scan tutorial on Linux with the following outcomes:

What is the Nmap Xmas Scan in Linux?

Three types of scans are used to check the ports of the target machine are opened or closed. These scans are mentioned below in the table:

Null Scan-sNThis scan will not set any bits, which means that the TCP header is 0.
FIN Scan-sFThis scan will set only the FIN bits of the TCP.
Xmas Scan-sXThis scan will set the FIN, PSH, and URG flags.

Outcomes of Xmas Scan

Referring to the Xmas scan, there are three possible outcomes:

OpenThis means no response is received from the target machine.
ClosedThis means that the target machine’s port is closed.
FilteredThis means the port is protected by some filters of ICMP.

Time Templates 

After this, the timing templates option of the Xmax scan is necessary to learn. The Time Templates are six different levels used to show the behavior of the scan. These timing templates are

Timing TemplateExplanation
Paranoid (T0)This is the slowest scan of the Xsmax
Sneaky (T1)This is also the slowest scan. Still, more aggressive than the paranoid 
Polite (T2)This is neither slow nor fast scan
Normal (T3)This is the default set timing template for the Xmas scan
Aggressive (T4)This is the fast Xmas scan
Insane (T5)This is fastest Xmas scan 

Example 1: Nmap Xmas Scan 

Use the aggressive Xmas scan for the target machine whose address is “” and display the progress using the “sX” option:

$ sudo nmap -sX

In the output, we can see that the 999 ports are closed. Only one 22/tcp port is open at the target machine. 

Example 2: Null Scan 

This type of Nmap Xmas Scan sets no flags in the TCP header, which can be used to determine if the target system is filtering incoming traffic. For instance, specify the address “” for scanning the port:

$ sudo nmap -sN

The output shows that a null scan has been done.

Example 3: FIN Scan 

This type of Nmap Xmas Scan sets only the FIN flag in the TCP header, which can be used to identify open ports on the target system:

$ sudo nmap -sF

The output shows that only one “22/tcp” port is open at the target machine. 


The Xmax scan can be performed using the nmap command. This scan displays the status of the ports of the target machine. The status of the ports can be closed, open, or filtered. This blog explains the Xmas scan using the nmap command in Linux with the help of different examples.