A TCP NULL scan is yet another port scanning technique used in network reconnaissance. Similar to TCP XMAS and FIN scans, it exploits the behavior of TCP packets to determine the state of ports on a target system.
In a TCP NULL scan, the scanning tool sends TCP packets with none of the TCP flags set, essentially creating a “null” packet. Normally, TCP packets have at least one flag set, such as SYN, ACK, RST, FIN, PSH, URG, or a combination of these. However, in a TCP NULL scan, none of these flags are set.
Here’s how a TCP NULL scan works:
- Sender sends NULL packet: The scanning tool sends a TCP packet with none of the flags (SYN, ACK, RST, FIN, PSH, URG) set to the target system.
- Response analysis:
- If the port is open: The target system’s response may vary. Some systems may respond with an RST (reset) packet, while others may not respond at all.
- If the port is closed or filtered: The target system may respond with an RST packet if the port is closed, or it may not respond at all if the port is filtered or blocked.
- Interpreting responses:
- If an RST packet is received: This typically means the port is closed.
- If no response is received: This can indicate that the port is either open or filtered. Further analysis might be needed to determine the state of the port.
TCP NULL scans can be effective because they can bypass some firewall and intrusion detection system (IDS) configurations. Firewalls and IDS are often configured to detect packets with specific flag combinations, such as SYN packets in SYN scans or FIN packets in FIN scans. However, they may not be configured to handle or detect NULL scan packets.
Like other port scanning techniques, TCP NULL scans can still be detected by advanced security measures and vigilant network administrators. Additionally, the interpretation of results may vary depending on the target system’s TCP stack implementation.
