Nmap NULL and FIN Scans

Learn how to perform Nmap NULL and FIN scans.

Nmap’s NULL and FIN scans are types of stealth scans that we can use to probe a target host or network without generating any visible network traffic. These scans are useful for evading firewalls and intrusion detection systems that are configured to detect traditional network scanning techniques. Let’s look at these scans in detail.

What is Nmap’s NULL scan?

Nmap’s NULL scan is a type of scan that uses the TCP protocol with no flags set in the header of the packets. This scan can evade firewalls or intrusion detection systems that only look for certain flag combinations because the NULL scan packets don’t have any flags set.

When a TCP packet is sent with no flags set, it violates the TCP protocol rules. When a TCP packet is sent, the receiver should respond with a TCP RST packet if the port is closed and shouldn’t respond at all if the port is open. Therefore, if the target system responds with an RST packet, it indicates that the port is closed. If the target system doesn’t respond at all, it indicates that the port is open.

We perform the NULL scan using the -sN flag. Here’s an example:

Get hands-on with 1200+ tech skills courses.