From what I have researched so far on NULL scans, there are 2 conflicting answers regarding the results of the NULL scan. In a NULL scan, some sources state that if RST/ACK response is received from the server, that means the server is closed. However, other sources state RST/ACK as only RST. Is there a difference between the 2 of them ? Thanks =) . asked 22 Dec '12, 08:33  Dinged |
One Answer:
There are so many different TCP stacks out there, so everything is possible, especially when it comes to scanning systems with invalid flags set or not set. Usually, all packets coming from systems that do not intentionally fool around with packet details (like the one doing the scan) have the ACK flag set unless it is the initial SYN packet of the three way handshake. answered 22 Dec '12, 09:13  Jasper ♦♦ Thanks for the information. So whether is it a RST/ACK or a RST packet being sent from the server is dependent on the TCP stacks and the usual case would be a RST/ACK result right ? (22 Dec '12, 09:25) Dinged yes, it is dependent on the TCP stack implementation, and since there is no case in the TCP RFC stating what to do when a packet with no flags arrives, it is quite impossible to predict the reaction. I'd not be surprised if you get a mix of RST, RST/ACK or even no packet at all when testing various targets. (23 Dec '12, 18:12) Jasper ♦♦ |
how does your Null scan look like? Which tool did you use?
Hmm I didn't actually perform the NULL scan, I am currently trying to do some read up on NULL scans and encountered different answers. Some books state it as such,"This is an advanced scan that may be able to pass through firewalls undetected or modified. Null scan has all flags off or not set. It only works on Unix systems. Closed ports will return a RST flag." while others state it as a RST/ACK flag >> see image http://i.imgur.com/7FKeM.png
well, don't (blindly) believe what's written in books. Try yourself. That will also help you to understand the whole thing much better. Grab nmap and Wireshark and test how different operating systems react ;-)
Furthermore, listen to the advice of @Jasper.
Haha you've a point =) . Guess I should do some hands-on..
Yep, there nothing to loose, other than a few minutes/hours of your live ;-)