Stealth Scanning explain

Some port scans are easier to detect than others, so defenders need to know about these TCP flags that allow attackers to make their port scans difficult to detect.

When you send a port scan with a packet and the FIN flag, you send the packet and not expecting a response. If you do get an RST, you can assume that the port is closed. If you get nothing back, that indicates the port is open. Firewalls are looking for SYN packets, so FIN packets slip through undetected.

The X-MAS scan sends a packet with the FIN, URG, and PUSH flags and expects an RST or no response, just like the FIN scan. There isn’t much practical use for this scan, but it does make the packet resemble a Christmas tree, so there is that.

You can also send packets with no flags, called a NULL packet, and the response is either an RST or nothing.

The good thing – for the hacker – about these scans is that they don’t usually show up in logs. More recent Intrusion Detection Software (IDS) and, of course, WireShark will catch these scans. The bad news is that if the target is a Microsoft OS, you will only see closed ports – but if you do find an open port, you can assume that it’s not a Windows machine. The most significant advantage of using these flags is that they can slip past firewalls, which makes the results more reliable.