Q

What is an Nmap Maimon scan?

Systems are often designed to hide out on a network. In this SearchSecurity.com Q&A, network security expert Mike Chapple explains how Nmap Maimon scans can get a response out of them.

What is an Nmap Maimon scan and how does the tool interpret responses from it?

Your question actually led me down an intriguing path. I first checked the Nmap documentation, which referred to issue No. 49 of Phrack magazine, where, on Nov. 8, 1996, a gentleman named Uriel Maimon wrote an article entitled "Port Scanning without the SYN flag". The documentation added that the Maimon scan uses packets with both the FIN and ACK flags set.

That seemed like a simple, reasonable explanation, until I turned to the source and read Uriel's article for fact-checking purposes. It turns out that his article described sending an initial FIN packet followed by an ACK packet and then looking for discrepancies between their TTL values.

After hearing these conflicting facts, I used Nmap to run a Maimon scan, monitoring the session with the Ethereal packet sniffer. It turns out that the Nmap documentation correctly describes Nmap's behavior: it sends packets with both the FIN and ACK flags set. This mimics the second stage (FIN/ACK) of the three-way handshake used to tear down a TCP/IP connection. The setting also provides an alternative to FIN probes, which mimic the first step of the TCP breakdown handshake, and SYN probes, which mimic the first step of the connection setup handshake.

Why would you use Maimon's FIN/ACK probe? It's simply another way of eliciting responses from systems that are configured to cloak their presence on the network. Consider it one more weapon in your probe arsenal.

More information:

  • Want to use Nmap in your organization? Read SearchSecurity.com's Nmap Technical Guide.
  • When it comes to network discovery tools, is there anything more comprehensive than Nmap? Michael Cobb explains.
This was first published in April 2007
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close