Christmas Tree Attack – CompTIA Security+ SY0-401: 3.2

By changing a few bits inside of a network packet, you can cause a number of things to occur. In this video, you’ll learn about Xmas tree attacks and you’ll see what happens when I run a Christmas tree attack against my own router.

<< Previous Video: VishingNext: Privilege Escalation >>

A Christmas Tree Attack is a very well known attack that is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.

In the case of a Christmas tree attack, we’re turning on the Urgent, the Push, and the Fin flags. And you can see, here’s an example of a screenshot of Wireshark, where Urgent is set. The Fin is set. And Push is set. So we’ve got these three different bits that are set in here.

Now, normally, we wouldn’t see some of these combinations of bits being turned on or turned off inside of the packet. So it’s very unusual. And having so many of them there and having these 1s and 0s there, mean that this particular section of the flags of a TCP packet are lit up like a Christmas tree. And that’s where the name comes from.

It’s an odd combination. The interesting part is how do the remote devices respond when you send a Christmas tree attack to them? And how they respond might give you an idea about what’s on the other side of this. Different devices respond to different ways. So this may be a very good way to get some reconnaissance from a device.

Sometimes the device has no idea what to do. And you can slow down the device, because it has to really look through this and understand what’s going on. In my particular case, I ran this attack on my internal network as I was building this presentation. I ran it against the router that goes out to the internet. And, about two minutes later, the router rebooted. And I realized, that’s odd. That doesn’t happen with my router. My router is very, very reliable.

So I ran the Christmas tree attack again. Two minutes later, the router rebooted. I realized I had a router that was susceptible to this Christmas tree attack. And, granted, my router is a very, very old router. It’s one that was not doing the latest wireless technologies. It’s one that was, in fact, many, many, many years old. And I realized, at that point, it’s time to upgrade the router. I don’t expect anyone in my house to be doing a Christmas tree attack. But it spoke to the reliability of the router. So I upgraded the piece of hardware, so that it would not be susceptible to this attack.

We’re going to run an attack again in this video and see if we have the same problem. This is something that’s very, very easy to see, if you have an intrusion prevention system. They have signatures that are specifically designed to identify Christmas tree attacks when they’re going through your network. And if you have a packet captured device that we’re going to run here, you can go through there and look at the packets themselves to see if there is this combination of bits turned on and turned off right inside the packet.

I’m going to use two tools to be able to show this attack, when it’s occurring, and to perform the attack itself. And, as a security professional, they are probably tools that you have already. The first one is Nmap which you can download from or They go to the same place. That will be the scanning tool that I use to perform the Christmas tree scan, the Christmas tree attack against this router that I have in my environment.

We’re also going to use Wireshark. Wireshark is a packet capture protocol analysis device. We’re going to capture packets in real time. And I’m going to see what the results are after attack is over. So before we get started, let’s pull up our capture options. I’m going to go from my ethernet port. And I’m just going to start up the packet captures on my network. And it’s going to start sending the packets back and forth behind the scenes. You can see that those are going.

And, in the meantime, I’m going to perform this Christmas tree scan, since I’m not running as root on my computer. I’m going to do a [INAUDIBLE], so I can run this Nmap scan as root. I may not have to do it for Christmas tree scan, but it’s become a standard thing that I do when I run an Nmap scan. The flags to perform a Christmas tree scan is the flag-s and a capital X. And that’s the Christmas tree. That’s the scan for Christmas tree.

And I’m going to do it to, which is my router. When I hit Enter, and it’s going to ask me for my password, since I’m asking to run as root for this, and hit Enter. It’s going to perform the Christmas tree scan. And then it’s done. And it performed a lot of information and found a number of closed ports on this device. Some of them were open and filtered. Christmas tree can’t tell you if it was really open. But it knows that it did not get a response when it heard these particular ports come back.

Let’s look at our packet capture and see if we can see the exact flags that were inside the TCP packet when the scan ran.

I’ve now stopped my packet capture. I found a frame that is part of the Christmas tree scan. But we’re scanning, we’re sending these Christmas tree packets out to the router. And we’re sending a few thousand different scans. They’re all on different port numbers. So you’ll see it all coming from one port number. And it’s mixing up and randomizing the set of ports that it’s sending back and forth.

So we’ll just choose one of those. Let’s get rid of the hex decode down at the bottom, make it a little bit smaller. And let’s have a look at the scanning part itself, the TCP flags that we have here. We can see that we have a Reserve not set, Echo not set. Urgent is set. Push is set. Fin is set. So there are the flags– I’m going to move up a little bit so you can see where these flags are– this is in the frame going across the network. It’s an ethernet frame with the Mac addresses of these two devices. It is an IP frame. You can see the IP addresses associated with this scan. And this is the TCP part of the frame. And in the TCP, you have, of course, source and destination ports.

And then, down here a little bit further, are all of the flags. And that’s where I’m seeing the flags associated with the Christmas tree scan. Quite a lot of information here. Obviously, if you were doing this by hand, by eye, with a human being, this could be very, very difficult to identify. It’s practically impossible to see this, with all of the other normal traffic going through your network. Which is why it’s so important that you have these intrusion prevention systems on both your network and your host, so if somebody is attacking a single machine and using some of these well-known methods, you’ll be able to see it alarm immediately.

Also, as a followup, I was able to keep a ping going to my router the entire time that I’ve been doing this video. So now I can be assured that a Christmas tree scan is not going to bring down my brand new router. That’s something you need to keep in mind. If somebody is performing these scans on your network and they’re causing systems to go offline or causing a denial of service situation, then you may need to get updated firmware. You may need to get updated hardware. Or find out what you can do to prevent somebody in your network from causing a denial of service to your very, very important systems.