Chapter 5. Port Scanning Techniques and Algorithms
TCP Maimon Scan (-sM)
The Maimon scan is named after its discoverer,
He described the technique in
Phrack Magazine issue #49 (November 1996).
Nmap, which included this technique, was released two issues later.
This technique is exactly the same as NULL, FIN, and Xmas scan, except
that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet
should be generated in response to such a probe whether the port is
open or closed. However, Uriel noticed that many BSD-derived systems
simply drop the packet if the port is open. Nmap takes
advantage of this to determine open ports, as shown in Table 5.7.
Table 5.7. How Nmap interprets responses to a Maimon scan probe
The Nmap flag for a Maimon scan is -sM. While
this option was quite useful in 1996, modern systems rarely exhibit
this bug. They send a RST back for all ports, making every port
appear closed. This result is shown in Example 5.18.
Example 5.18. A failed Maimon scan
# nmap -sM -T4 para
Starting Nmap ( http://nmap.org )
All 1000 scanned ports on para (192.168.10.191) are: closed
MAC Address: 00:60:1D:38:32:90 (Lucent Technologies)
Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds