I have just finished the AIO CEH book and am working with some of the tools and scans mentioned in the book.

In the book, it is mentioned that an Nmap Null scan (-sN) does not work on Windows, because it does not conform to an RFC. Yet it says that Linux does conform to this RFC and therefor a Null scan will work on Linux.

To test this I fired up a Windows XP and 2003 VM, and metasploitable. I then started Wireshark and did a Null scan on each one.

A Null scan is not supposed to return a reset packet when the port is open, and it will return one when a port is closed.  This should tell you what ports are open. The book says this scan will not work with Windows and that it was designed for Linux boxes.  No matter what OS I scan, RST packets ARE returned. Also, no ports are shown as open on any box, even when there ARE open ports.

Here is an output sample of a Linux box:
All 1000 scanned ports on Dalobo's-PC (192.168.56.41) are open|filtered

Am I misunderstanding something here? Shouldn't the Windows box not return any RST packets thus showing all ports as open?  Why does the linux box not show any open ports? Why is Windows sending RST packets?

Any help would be greatly appreciated.

But Windows is sending RST packets and listing all ports as open.  That is where I am confused.

I am reading that link now...

Thanks,

Dalobo

Initially you said they were all closed and that you were receiving RST packets not so?

Keep in mind that open|filtered means no response received(even after retransmissions)

I just scanned(NULL scan) my XP SP3 machine I receive all ports closed. How are you running nmap?

The behavior I see on my end is consistent with the RFC. I have ports 139,135,445 open. When I perform a NULL scan against XP SP 3, nmap labels all ports as closed and does send back an RST.

 I am receiving open|filtered.