Quick Tip #3 - Christmas Scan in nmap

nmap determines the OS of the target by the responses it gets. Different operating systems send back slightly different packets in response to what TCP flag is set. The TCP flags are SYN, ACK, FIN, PSH, URG, RST. The mnemonic I use is: Unskilled Attackers Pester Real Security Folks. When you run an XMAS scan in nmap you are setting all TCP flags at the same time. Obviously, this isn’t a valid packet and requires the ability to modify the network stack, hence the need to be root to run this scan. This scan can help identify the target when other OS fingerprinting techniques are inconclusive, but a good IDS/Next Gen Firewall will probably block these packets. But it’s worth a shot when you can’t figure out the OS of the target. Also realize this is NOT stealthy. You’re announcing your intentions are to recon the network and it may get you blacklisted. You run the XMAS scan with the -sX flag.