A NULL scan is a network reconnaissance technique that sends TCP packets with no flags set in the header. This approach deviates from standard TCP behavior, where at least one flag (such as SYN, ACK, or FIN) is typically set. By omitting all flags, NULL scans aim to probe target systems stealthily, often bypassing basic firewall rules that monitor for specific flag combinations.
How NULL Scanning Works?
In a NULL scan, the attacker dispatches TCP packets devoid of any flags. The target system's response provides insights into the status of its ports:
-
Open Ports: Many systems, upon receiving a flagless TCP packet directed at an open port, will not respond.
-
Closed Ports: Conversely, if the targeted port is closed, the system typically replies with a TCP RST (reset) packet.
This behavior allows attackers to infer which ports are open based on the absence of a response, and which are closed based on the receipt of a reset packet.
Bypassing Firewalls with NULL Scans
NULL scans can be effective in evading firewalls that are configured to detect and block packets with specific TCP flags. Since NULL scans lack these flags, they may slip through such filters unnoticed. However, it's important to note that modern firewalls and intrusion detection systems have evolved to recognize and counteract such unconventional scanning techniques.
Practical Example Using Nmap
The Nmap tool facilitates NULL scanning with the -sN option. For instance:
nmap -sN 192.168.1.1
This command initiates a NULL scan against the host at IP address 192.168.1.1, helping to identify open and closed ports based on the target's responses.
Limitations and Considerations
-
Operating System Behavior: Not all operating systems respond to NULL scans in the same way. For example, Windows systems often reply with RST packets regardless of the port's state, rendering NULL scans less effective.
-
Legal and Ethical Implications: Conducting NULL scans without proper authorization can be considered illegal and unethical. It's crucial to obtain explicit permission before performing such scans on any network.
-
Detection by Advanced Security Systems: While NULL scans may bypass basic firewalls, sophisticated intrusion detection systems are capable of identifying and alerting administrators to such scanning activities.
