NULL Scan (`-sN`) with Nmap

In this article, we delve into the mechanics of NULL scanning, how it works in Nmap, its advantages and limitations, and best practices for using it effectively.

by İbrahim Korucuoğlu ( @siberoloji) | Saturday, March 29, 2025

Categories:

4 minute read

Introduction

Nmap (Network Mapper) is one of the most powerful and widely used network scanning tools. Among its numerous scanning techniques, NULL scan (-sN) is particularly useful for identifying open ports on a target system while remaining stealthy. Unlike standard scans that send SYN or ACK packets, a NULL scan manipulates the TCP flags to evade detection by firewalls and intrusion detection systems (IDS).

This article explores the mechanics of NULL scanning, how it works in Nmap, its advantages and limitations, and best practices for using it effectively.

What is a NULL Scan?

A NULL scan is a type of TCP scan where no flags are set in the TCP header. This means that the packet sent to the target does not indicate any intent (such as initiating a connection or acknowledging data). The way a target system responds to this packet can reveal whether a port is open, closed, or filtered.

How NULL Scans Work

NULL scans rely on the behavior of TCP/IP stack implementations. When a TCP packet with no flags set is sent to a target, the response depends on how the target OS handles such packets. The behavior is governed by the TCP RFC 793 standard:

Closed ports: If a closed port receives a NULL scan packet, the target responds with a RST (Reset) packet.
Open ports: If an open port receives a NULL scan packet, there is no response (this is due to how certain OS implementations follow the RFC standard).
Filtered ports: If a firewall or packet filtering device is in place, the packet may be dropped, resulting in no response as well.

Since different operating systems may handle NULL scan packets differently, this scan is particularly useful for OS fingerprinting and reconnaissance.

Running a NULL Scan in Nmap

To perform a NULL scan using Nmap, the syntax is:

nmap -sN <target>

For example:

nmap -sN 192.168.1.1

Using NULL Scan with Other Options

NULL scans can be combined with other options for better effectiveness:

Aggressive timing for faster scanning:
```
nmap -sN -T4 192.168.1.1
```
The -T4 option speeds up the scan, but may be more detectable.
Scanning a specific range of ports:
```
nmap -sN -p 20-100 192.168.1.1
```
This limits the scan to ports 20-100.
Using a list of targets:
```
nmap -sN -iL targets.txt
```
This reads multiple targets from a file.
Increasing stealth with decoy scanning:
```
nmap -sN -D RND:5 192.168.1.1
```
This sends packets from multiple spoofed IPs to mask the real source.

Advantages of NULL Scanning

1. Stealthy Reconnaissance

NULL scans do not set SYN or ACK flags, making them less likely to trigger alerts in firewalls or IDS that monitor standard connection attempts.

2. Bypassing Simple Firewalls

Some basic firewalls only filter SYN packets. Since NULL scans do not include SYN flags, they may slip through undetected.

3. Useful for OS Fingerprinting

Different operating systems handle NULL scans differently. For example:

Linux/Unix: Usually follows RFC 793 and does not send a response for open ports.
Windows: Does not adhere to RFC 793 and always responds with RST, making NULL scans ineffective.

Understanding these differences can help in identifying the target OS.

Limitations of NULL Scanning

1. Ineffective Against Windows Systems

Windows systems always respond with an RST for closed and open ports alike, making NULL scans useless.

2. Easily Blocked by Stateful Firewalls

Advanced firewalls and IDS can detect and drop NULL scan packets, rendering the scan ineffective.

3. No Distinction Between Filtered and Open Ports

If a firewall drops the NULL scan packets, the lack of response can be misleading, making it difficult to differentiate between an open port and a filtered port.

4. Can Be Logged by Security Tools

While NULL scans are stealthier than SYN scans, some modern security tools can still detect and log such unusual traffic patterns.

Best Practices for Using NULL Scans

Combine with Other Scan Types: NULL scans work best when used with SYN scans (-sS) or FIN scans (-sF) to get a clearer picture of the target network.
Use Against Unix-Based Systems: Since Windows does not support RFC 793 behavior, NULL scans should be targeted at Linux, BSD, or Unix-based machines.
Scan During Off-Peak Hours: To avoid detection, consider running scans at times when network monitoring is minimal.
Monitor Your Own Scans: Before deploying NULL scans on a real target, test it on a lab setup to see how IDS/IPS solutions detect it.
Use Decoy Scanning: To obscure your real IP address, use the -D option in Nmap to introduce decoys.

Conclusion

NULL scanning (-sN) is a valuable reconnaissance technique in Nmap, providing stealthy port scanning capabilities. While it can bypass simple firewalls and is useful for OS fingerprinting, it has limitations, particularly against Windows systems and stateful firewalls.

By combining NULL scans with other techniques and following best practices, security professionals and ethical hackers can gather crucial information about a target network while minimizing the risk of detection.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< UDP Scan (`-sU`) with Nmap FIN Scan (`-sF`) with Nmap >