What type of scan is indicated by the presence of URG, FIN, and PSH flags being set during a penetration test?

The presence of URG, FIN, and PSH flags being set during a penetration test indicates that the scan is an Xmas scan. In networking, an Xmas scan is a type of stealth port scan used to identify open, closed, or filtered ports on a target system. The scan gets its name because it sends TCP packets with these three flags lit up, which can illuminate the state of the various ports much like the lights on a Christmas tree.

When a host receives such a packet, it may respond differently based on the state of its ports. Open ports typically do not respond, closed ports will usually respond with a RST (reset) packet, and filtered ports may not respond at all or could respond with an ICMP message indicating the destination is unreachable. This behavior enables a penetration tester to glean important information about the security posture of the network without establishing a full connection, thus helping evade detection by intrusion detection systems.

Other scan types listed do not match the characteristic flags of an Xmas scan. A SYN scan primarily uses only the SYN flag to probe ports, while an ACK scan employs the ACK flag, and a TCP flag scan generally refers to various non-specific flag manipulations that don’t accurately identify this specific combination of flags.