During a penetration test, what type of scan is indicated by flags URG, FIN, and PSH being set?

The presence of the URG, FIN, and PSH flags set in a TCP packet indicates a Christmas tree scan, a technique utilized primarily during penetration testing to identify open ports on a target system. This type of scan works by sending TCP packets with a combination of various flags set to probe the target.

When the packet is sent, if a port is closed, the target will respond with a RST (reset) packet. However, if the port is open, it typically does not respond — or it may respond with a TCP segment that has a flag other than the one set, indicating that the port is indeed open. Essentially, the Christmas tree scan seeks to illuminate the "tree" of the target system by lighting up various flags, hence the name. It can bypass some firewall rules and is often less detectable than other scanning methods.

This method can be particularly effective against systems that do not adhere strictly to the TCP specifications or possess certain peculiarities in how they handle TCP flags. The combined use of the URG, FIN, and PSH flags creates a unique packet signature that can be used to assess the security posture of the target system without alerting it as much as a standard scan might.