Home page logo
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

Nmap Network Scanning

TCP Maimon Scan (-sM)

The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scan, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open. Nmap takes advantage of this to determine open ports, as shown in Table 5.7.

Table 5.7. How Nmap interprets responses to a Maimon scan probe

Probe ResponseAssigned State
No response received (even after retransmissions)open|filtered
TCP RST packetclosed
ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)filtered

The Nmap flag for a Maimon scan is -sM. While this option was quite useful in 1996, modern systems rarely exhibit this bug. They send a RST back for all ports, making every port appear closed. This result is shown in Example 5.18.

Example 5.18. A failed Maimon scan

# nmap -sM -T4 para

Starting Nmap ( http://nmap.org )
All 1000 scanned ports on para ( are: closed
MAC Address: 00:60:1D:38:32:90 (Lucent Technologies)

Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]