TCP Maimon Scan (-sM)

The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scan, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open. Nmap takes advantage of this to determine open ports, as shown in Table 5.7.

Table 5.7. How Nmap interprets responses to a Maimon scan probe
Probe ResponseAssigned State
No response received (even after retransmissions)open|filtered
TCP RST packetclosed
ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)filtered

The Nmap flag for a Maimon scan is -sM. While this option was quite useful in 1996, modern systems rarely exhibit this bug. They send a RST back for all ports, making every port appear closed. This result is shown in Example 5.18.

Example 5.18. A failed Maimon scan
# nmap -sM -T4 para

Starting Nmap ( )
All 1000 scanned ports on para ( are: closed
MAC Address: 00:60:1D:38:32:90 (Lucent Technologies)

Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds