Nmap Advanced Port Scans TryHackMe

Overview

This room covers the less common Nmap scan types used to handle filtering, probe firewall behavior, or make scans harder to attribute. These scans are not your normal starting point, but they matter because they teach how ports and firewalls really respond to unusual TCP flag combinations.

Core idea: advanced scans are mostly about how targets and firewalls react to unexpected packets, not just whether a port is open in the obvious sense.

1) Null, FIN, and Xmas Scans

These three scans rely on the same logic: closed ports usually respond with RST, while open ports on many Unix-like systems stay silent.

Null scan: no TCP flags set, -sN
FIN scan: FIN only, -sF
Xmas scan: FIN + PSH + URG, -sX

sudo nmap -sN MACHINE_IP
sudo nmap -sF MACHINE_IP
sudo nmap -sX MACHINE_IP

Important result: these scans usually label ports as open|filtered, not confidently open, because silence could mean either an open port or a firewall dropping the packet.

2) When Null/FIN/Xmas Help

These scans can sometimes bypass simple stateless filters that mainly look for SYN packets to detect connection attempts.

Stateless firewall: may let these packets through because they do not look like normal connection setup traffic.
Stateful firewall: will usually block them, making the technique far less useful.

Reality check: on modern networks, stateful filtering is common, so these scans are more educational and situational than default workflow choices.

3) Maimon Scan

Maimon scan sends FIN+ACK and is selected with -sM. It is based on historical BSD behavior where some open ports would drop the packet rather than reply.

sudo nmap -sM MACHINE_IP

Practical value today: limited. Most modern targets answer in a way that makes Maimon ineffective for actually finding open ports, but it is useful to understand the logic behind scan design.

4) ACK Scan

ACK scan sends a packet with only the ACK flag set and is selected with -sA.

sudo nmap -sA MACHINE_IP

ACK scan is not mainly for finding open ports. It is more useful for mapping firewall behavior:

Unfiltered: the target or path lets the packet through and returns a response.
Filtered: the packet is blocked, so Nmap cannot confirm behavior.

Key lesson: ACK scan exposes which ports the firewall is allowing to be reached. It does not prove a service is actually listening there.

5) Window Scan

Window scan is closely related to ACK scan and is selected with -sW. It inspects the TCP window field in returned RST packets and, on some systems, that difference can hint at open ports.

sudo nmap -sW MACHINE_IP

How to think about it: like ACK scan, but trying to squeeze a little more signal out of the response details. It is still mostly a firewall/stack-behavior tool rather than a clean service-discovery scan.

6) Custom Flag Scans

Nmap lets you build your own TCP flag combinations with --scanflags.

sudo nmap --scanflags RSTSYNFIN MACHINE_IP
sudo nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IP

Warning: custom scans only help if you understand how the target OS, firewall, and network devices are likely to interpret that flag combination. Otherwise the output is easy to misread.

7) Spoofing and Decoys

Nmap can make scans harder to attribute, but the usefulness depends heavily on network position and your ability to observe replies.

Spoofed source IP

sudo nmap -e NET_INTERFACE -Pn -S SPOOFED_IP MACHINE_IP

Spoofed MAC

--spoof-mac SPOOFED_MAC

Decoy scan

nmap -D DECOY_IP,ME MACHINE_IP
nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME MACHINE_IP

Important: spoofing is often useless unless you can also monitor the traffic path and capture responses. Decoys are more generally practical because they muddy attribution without requiring full response control.

8) Fragmentation and Packet Shaping

Fragmenting packets can sometimes make detection or filtering harder for simpler security devices.

-f
-ff
--mtu 24
--data-length 50

-f: fragment payload into small chunks
-ff: use larger fragments than single -f
--mtu: choose fragment size directly, as a multiple of 8
--data-length: append random data to change packet size

Practical point: fragmentation can matter against old or simple inspection systems, but many modern firewalls and IDS/IPS products reassemble traffic and still inspect it correctly.

9) Idle/Zombie Scan

Idle scan, selected with -sI, is one of the more elegant stealth techniques in Nmap. It uses a quiet third-party host with predictable IP ID behavior to infer whether a target port is open.

sudo nmap -sI ZOMBIE_IP MACHINE_IP

High-level logic:

Probe the zombie to observe its current IP ID.
Send a spoofed SYN to the target using the zombie’s IP as source.
Probe the zombie again and compare its IP ID increase.

Interpretation: if the zombie’s IP ID increases more than expected, it likely had to answer the target’s reply, which can indicate that the target port was open.

10) More Detail in Output

Nmap can explain why it reached a conclusion and give increasingly detailed runtime information.

--reason
-v
-vv
-d
-dd

--reason: show why Nmap called a host or port a certain state.
-v / -vv: verbose and very verbose output.
-d / -dd: debugging detail.

Why this matters: on tricky scans, understanding the exact response Nmap used, such as syn-ack, reset, or arp-response, helps you interpret ambiguous results properly.

Nmap Advanced Scan Cheat Sheet

sudo nmap -sN MACHINE_IP
sudo nmap -sF MACHINE_IP
sudo nmap -sX MACHINE_IP
sudo nmap -sM MACHINE_IP
sudo nmap -sA MACHINE_IP
sudo nmap -sW MACHINE_IP
sudo nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IP
sudo nmap -sI ZOMBIE_IP MACHINE_IP

Exam Notes (PT1)

Null, FIN, and Xmas scans usually identify ports as open|filtered, not definitively open.
ACK and Window scans are better for firewall mapping than service discovery.
Decoys can obscure attribution, but spoofing only helps when the network setup allows you to observe replies.
Idle scan is powerful in theory, but it depends on finding a genuinely idle and predictable zombie host.
Use --reason and verbosity flags when results are ambiguous or you need to understand Nmap’s conclusion.