Maimon Scan (`-sM`) with Nmap
-sM) with Nmap, a stealthy way to detect open and closed ports.Categories:
4 minute read
Introduction to Nmap and Maimon Scan (-sM)
Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. It provides various scanning techniques to detect live hosts, open ports, and running services. One of the lesser-known but useful scan types in Nmap is the Maimon Scan (-sM).
The Maimon Scan is designed to exploit an obscure behavior in the TCP stack of some systems, making it a stealthy way to detect open and closed ports. This article explores the technical details, usage scenarios, advantages, and limitations of Maimon scanning with Nmap.
What is the Maimon Scan?
The Maimon Scan is named after Uriel Maimon, who discovered the technique in a 1996 paper. It is a variation of the NULL Scan, using a FIN/ACK flag combination in TCP packets to identify open or closed ports.
Normally, when a packet with the FIN flag is sent to a closed port, a system following the TCP/IP specification will reply with a RST (reset) packet. However, if a FIN/ACK packet is sent, some operating systems, particularly older BSD-based systems, do not respond at all to open ports. This behavior allows the scanner to distinguish between open and closed ports without engaging in a full TCP connection, making it a relatively stealthy scan method.
How Does the Maimon Scan Work?
The scan relies on different responses based on the target’s TCP stack implementation:
- Closed Port Response: The target responds with a RST (reset) packet, indicating the port is closed.
- Open Port Response: The target does not respond if the port is open (on some BSD-derived systems and firewalls).
Since this method does not establish a full TCP handshake, it is considered a stealth scan and may evade certain intrusion detection systems (IDS).
Running a Maimon Scan with Nmap
To perform a Maimon Scan with Nmap, you can use the following syntax:
nmap -sM <target>
For example, scanning a specific host (192.168.1.100):
nmap -sM 192.168.1.100
To scan a specific range of ports:
nmap -sM -p 20-100 192.168.1.100
To increase verbosity and get more details:
nmap -sM -p 80,443 -v 192.168.1.100
To use aggressive timing for faster results:
nmap -sM -T4 192.168.1.100
When to Use the Maimon Scan
The Maimon Scan is particularly useful in:
- Stealthy Network Reconnaissance: Since the scan does not complete a TCP handshake, it is less likely to trigger alarms on IDS and IPS.
- Detecting Open Ports on Older Systems: Some older BSD-based systems do not reply to FIN/ACK packets if a port is open, making this scan effective.
- Bypassing Firewalls and Filters: Certain firewall configurations might not recognize the FIN/ACK flag combination, allowing the scan to pass through undetected.
Limitations and Drawbacks
Despite its advantages, the Maimon Scan has several limitations:
- Limited Effectiveness on Modern Systems: Most modern operating systems follow standardized TCP/IP implementations, making the scan less useful today.
- Not Supported by All Firewalls: Some firewalls block TCP packets with unusual flag combinations, reducing the scan’s effectiveness.
- Detection by IDS/IPS Systems: While stealthier than SYN or full connect scans, IDS systems with modern signatures can still detect Maimon Scans.
- Ineffective Against Certain Hosts: If the target system properly adheres to RFC standards, it will respond with a reset (RST) packet to all probes, making Maimon Scan behave similarly to a FIN scan.
Comparing Maimon Scan with Other Scan Types
| Scan Type | Packet Flags | Response from Open Port | Response from Closed Port | Stealth Level |
|---|---|---|---|---|
SYN Scan (-sS) | SYN | SYN/ACK (then RST from scanner) | RST | High |
FIN Scan (-sF) | FIN | No response | RST | High |
NULL Scan (-sN) | No flags | No response | RST | High |
Xmas Scan (-sX) | FIN, PSH, URG | No response | RST | High |
Maimon Scan (-sM) | FIN/ACK | No response (if vulnerable) | RST | High (but OS-dependent) |
Detecting Maimon Scans
While Maimon Scans attempt to be stealthy, network administrators can detect them using the following methods:
- Intrusion Detection Systems (IDS): Modern IDS tools, like Snort and Suricata, have signatures to detect unusual TCP flag combinations.
- Firewall Rules: Configuring firewalls to drop packets with non-standard flag settings can block Maimon Scans.
- System Log Monitoring: Checking system logs for unusual FIN/ACK combinations can help identify scanning attempts.
Best Practices for Ethical Use
When using Maimon Scans, consider the following ethical guidelines:
- Obtain Permission: Scanning networks without authorization is illegal in many jurisdictions.
- Use in Controlled Environments: Perform scans in a lab environment or on networks you own or have permission to test.
- Follow Responsible Disclosure: If vulnerabilities are found, responsibly report them to the system owner.
Conclusion
The Maimon Scan (-sM) is a lesser-known but effective Nmap scanning technique that leverages TCP stack inconsistencies to detect open ports stealthily. While its effectiveness has diminished on modern systems, it remains a valuable tool for ethical penetration testers and network administrators in specific scenarios.
Understanding the nuances of Maimon scanning and when to use it can enhance network reconnaissance capabilities while ensuring responsible and ethical security practices.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.