NMAP port states explanation - TCP SYN -sS


I've always struggled with various port states reported by nmap (http://nmap.org). Different scan types report different port states for listening but firewalled ports, listening accessible ports or not listening and so on. 
To make my life easier I decided to create tables of most common scan types. I armored myself with Wireshark and did some testing. I used a Windows Firewall running on the scanned machine (called target) for the purpose of this lab.

  • Service State: Listening - means that there is a valid service listening on the scanned port
  • Service State: Not Listening - there is nothing on the scanned port
  • No Firewall column - firewall is off
  • Firewall column - scanned port is firewalled  
In a SYN scan NMAP attempts to establish a half-open TCP connection (syn + syn,ack + rst,ack).

TCP SYN
Service State
No Firewall
Firewall
-sS
Listening

State: Open

State: Filtered

nmap
target   
nmap
SYN
SYN,ACK
RST
nmap
target   
nmap
SYN

SYN
Not Listening

State: Closed


State: Closed
nmap
target
SYN
RST,ACK
nmap
target
SYN
RST,ACK

No comments:

Post a Comment