A TCP XMAS scan is a type of port scanning technique used in network reconnaissance, similar to TCP SYN and TCP FIN scans. It gets its name from the flags set in the TCP packet, resembling the lights on a Christmas tree. In a TCP XMAS scan, specific TCP flags are set in the packet to probe the state of ports on a target system.
Here’s how a TCP XMAS scan works:
- Sender sends XMAS packet: The scanning tool sends a TCP packet with the URG (urgent), PSH (push), and FIN (finish) flags set to the target system. These flags are combined to create a packet with no predictable or standard behavior according to the TCP protocol.
- Response analysis:
- If the port is open: The target system may respond differently depending on its TCP stack implementation. Some systems may respond with an RST (reset) packet, while others may ignore the packet altogether.
- If the port is closed or filtered: The target system may respond with an RST packet if the port is closed, or it may not respond at all if the port is filtered or blocked.
- Interpreting responses:
- If an RST packet is received: This typically means the port is closed.
- If no response is received: This can indicate that the port is either open or filtered. Further analysis might be needed to determine the state of the port.
TCP XMAS scans are used because they can bypass certain firewall and intrusion detection system (IDS) configurations. Some firewalls and IDS are configured to detect specific flag combinations, such as SYN packets in SYN scans or FIN packets in FIN scans. However, they may not be configured to handle or detect XMAS scan packets.
Like other port scanning techniques, TCP XMAS scans can still be detected by advanced security measures and vigilant network administrators. Additionally, responses to XMAS scan packets may vary depending on the target system’s TCP stack implementation, making interpretation of results somewhat less reliable compared to more standard scanning techniques.
