In the book, it is mentioned that an Nmap Null scan (-sN) does not work on Windows, because it does not conform to an RFC. Yet it says that Linux does conform to this RFC and therefor a Null scan will work on Linux.
To test this I fired up a Windows XP and 2003 VM, and metasploitable. I then started Wireshark and did a Null scan on each one.
A Null scan is not supposed to return a reset packet when the port is open, and it will return one when a port is closed. This should tell you what ports are open. The book says this scan will not work with Windows and that it was designed for Linux boxes. No matter what OS I scan, RST packets ARE returned. Also, no ports are shown as open on any box, even when there ARE open ports.
Here is an output sample of a Linux box:
All 1000 scanned ports on Dalobo's-PC (192.168.56.41) are open|filtered
Am I misunderstanding something here? Shouldn't the Windows box not return any RST packets thus showing all ports as open? Why does the linux box not show any open ports? Why is Windows sending RST packets?
Any help would be greatly appreciated.