Compare the scanning techniques -sN, -sF, and -sX in terms of the TCP flags they send and the typical OS behavior they exploit.

• A. -sN sends a NULL packet (no flags); -sF sends a FIN packet; -sX sends a Christmas packet (FIN+PSH+URG). Different OSs and firewalls respond differently, aiding in fingerprinting.
• B. -sN sends a SYN packet; -sF sends a RST; -sX sends a ACK.
• C. -sN sends an ACK; -sF sends a SYN; -sX sends a RST.
• D. -sN sends a NULL packet; -sF sends a FIN packet; -sX sends a Christmas packet.

Answer: (A)

These scan types rely on how TCP handles unusual flag combinations and how different operating systems' TCP stacks respond. The null scan is a probe with no TCP flags set. Because there are no flags to indicate a desired action, many stacks don’t generate a meaningful response for an open port, while a closed port often responds with a reset. This difference in reaction across systems is what fingerprinting uses.

The FIN scan sends a FIN packet, which in normal TCP would indicate the end of an established connection. For open ports, many stacks simply ignore the FIN, giving no reply; for closed ports, a RST is commonly returned. The variation in responses among different OS implementations and firewall rules again helps identify the target.

The Xmas scan (named for the Christmas-tree-like set of flags) uses FIN together with PSH and URG. This unusual combination tends to provoke similar divergent behavior: closed ports typically yield a RST, while open ports may ignore the packet. Firewalls and some OS stacks may respond differently to this odd packet, providing additional fingerprinting signals.

So the best answer describes the exact flags each scan sends—NULL (no flags), FIN, and FIN+PSH+URG—along with the fact that different OSes and firewalls respond differently to these probes, enabling network fingerprinting.