Xmas Tree Scan (`-sX`) with Nmap

Learn about the Xmas Tree Scan (-sX) with Nmap, a powerful tool for identifying open ports and analyzing firewall rules.

by İbrahim Korucuoğlu ( @siberoloji) | Saturday, March 29, 2025

Categories:

4 minute read

Introduction to Nmap and Xmas Tree Scans

Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. Among its many scanning techniques, the Xmas Tree Scan (-sX) is a lesser-known but highly effective method for identifying open ports and analyzing firewall rules.

This article explores the Xmas Tree Scan in detail, covering how it works, when to use it, its advantages and limitations, and how to interpret its results.

Understanding the Xmas Tree Scan

What Is an Xmas Tree Scan?

An Xmas Tree Scan is a stealthy TCP scan technique that sends packets with multiple flags set, creating a packet that resembles a “Christmas tree” due to the various flags being lit up (set to 1). The scan takes advantage of how different operating systems and devices respond to abnormal TCP packets.

The flags set in an Xmas Tree Scan are:

FIN (Finish) – Signals the end of a communication session.
PSH (Push) – Instructs the receiving system to push the data to the application layer immediately.
URG (Urgent) – Marks the packet as containing urgent data.

This combination results in a packet that is not part of a legitimate TCP handshake, making it a useful technique for identifying open ports while evading some security defenses.

How Does It Work?

When an Xmas Tree Scan is executed, Nmap sends TCP packets with the FIN, PSH, and URG flags set. The target system’s response determines whether the port is open, closed, or filtered:

No response → The port is likely open (or filtered if a firewall is dropping packets).
RST (Reset) response → The port is closed.
ICMP unreachable message → The port is filtered (indicating a firewall is blocking it).

This behavior is defined in RFC 793 (Transmission Control Protocol specification) and depends on how different operating systems handle unexpected TCP packets.

Performing an Xmas Tree Scan with Nmap

Basic Syntax

To perform an Xmas Tree Scan using Nmap, the command syntax is:

nmap -sX <target>

Example:

nmap -sX 192.168.1.1

This will scan the target IP using the Xmas Tree method.

Scanning a Specific Port Range

By default, Nmap scans the most commonly used 1000 ports. You can specify a custom range like this:

nmap -sX -p 20-100 192.168.1.1

This restricts the scan to ports 20 through 100.

Running with Additional Options

To increase verbosity and see more detailed results:

nmap -sX -v 192.168.1.1

For service detection on open ports:

nmap -sX -sV 192.168.1.1

To bypass DNS resolution (useful for faster scans):

nmap -sX -n 192.168.1.1

To scan multiple targets:

nmap -sX 192.168.1.1,192.168.1.2

When to Use an Xmas Tree Scan

Advantages

Stealthy Nature: Since the scan does not initiate a full TCP handshake, it is less likely to be logged by security systems compared to traditional SYN or Connect scans.
Bypassing Some Firewalls and IDS: Some older intrusion detection systems (IDS) and firewalls do not properly detect Xmas Tree Scans, allowing them to pass through undetected.
Useful Against Certain Systems: Some operating systems (especially older versions of Unix-based systems) respond predictably to Xmas scans, allowing for fingerprinting and network reconnaissance.

Limitations

Ineffective Against Windows Systems: Most Windows-based systems automatically drop packets with unusual flag combinations (such as those in Xmas scans), making this method ineffective against them.
Easily Blocked by Modern Firewalls: Modern intrusion prevention systems (IPS) and firewalls recognize and block Xmas Tree Scan packets.
No Reliable Open Port Confirmation: Since an open port does not respond, there is no absolute confirmation that the port is open, as firewalls could also be dropping the packets.

Interpreting Xmas Tree Scan Results

Example Output

Starting Nmap 7.94 ( https://nmap.org ) at 2025-03-27 10:45 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0021s latency).
PORT     STATE    SERVICE
22/tcp   open|filtered  ssh
80/tcp   open|filtered  http
443/tcp  closed  https

What Does This Mean?

Open|filtered → The port is either open or a firewall is blocking responses.
Closed → The system actively rejects connections with a reset (RST) packet.

To confirm open ports, a different scan technique (such as a SYN scan) should be used in combination with an Xmas Tree Scan.

Comparing Xmas Tree Scan to Other Scan Types

Scan Type	TCP Flags Set	Stealth Level	Works Against Windows?	Port Detection Accuracy
SYN Scan (`-sS`)	SYN	High	Yes	High
Connect Scan (`-sT`)	SYN, ACK	Low	Yes	High
Xmas Tree Scan (`-sX`)	FIN, PSH, URG	Medium	No	Medium
Null Scan (`-sN`)	None	Medium	No	Medium
FIN Scan (`-sF`)	FIN	Medium	No	Medium

Conclusion

The Xmas Tree Scan (-sX) in Nmap is a powerful and stealthy method for port scanning, particularly useful in evading basic IDS/IPS systems. However, it is not effective against Windows machines and modern security mechanisms. When combined with other scanning techniques, it can provide valuable reconnaissance data for ethical hacking and penetration testing.

Understanding its strengths and limitations is crucial for using it effectively. If you are performing network security assessments, always obtain proper authorization before scanning any network.

Would you like a follow-up article on advanced Nmap scanning techniques or bypassing modern firewalls?

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< FIN Scan (`-sF`) with Nmap Nmap ACK Scan >