Skip to main content

NMAP port states explanation - TCP SYN -sS


I've always struggled with various port states reported by nmap (http://nmap.org). Different scan types report different port states for listening but firewalled ports, listening accessible ports or not listening and so on. 
To make my life easier I decided to create tables of most common scan types. I armored myself with Wireshark and did some testing. I used a Windows Firewall running on the scanned machine (called target) for the purpose of this lab.

  • Service State: Listening - means that there is a valid service listening on the scanned port
  • Service State: Not Listening - there is nothing on the scanned port
  • No Firewall column - firewall is off
  • Firewall column - scanned port is firewalled  
In a SYN scan NMAP attempts to establish a half-open TCP connection (syn + syn,ack + rst,ack).

TCP SYN
Service State
No Firewall
Firewall
-sS
Listening

State: Open

State: Filtered

nmap
target   
nmap
SYN
SYN,ACK
RST
nmap
target   
nmap
SYN

SYN
Not Listening

State: Closed


State: Closed
nmap
target
SYN
RST,ACK
nmap
target
SYN
RST,ACK

Comments

Popular posts from this blog

x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key.  Each certificate extension has three attributes - extnID, critical, extnValue extnID - Extension ID - an OID that specifies the format and definitions of the extension critical - Critical flag - Boolean value extnValue - Extension value  Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application. In Windows, critical extensions are marked with a yellow exclamation mark,  View certificate extensions using OpenSSL: # openssl x509 -inform pem -in cert.pem -text -noout (output abbreviated)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Subject Key Identifier

Cisco ASA Certificate Revocation Checking

ASA supports status verification using CRLs and OCSP. CRL can be retrieved using HTTP, LDAP or SCEP. Revocation checking using CRL: Over HTTP: ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-crl)# protocol http By default ASA will use address listed in CDP extension of the certificate that is being validated.  To override default behaviour we need to add the following in the CRL configuration context. ciscoasa(config-ca-crl)# policy static ciscoasa(config-ca-crl)# url 1 http://cdpurl.kp.local/crl.crl Over LDAP: Certificate I'm using for this lab, doesn't have LDAP address in its CDP extension. Therefore I'm using "policy static"  to specify LDAP URL where CRL can be retrieved.  ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-trustpoint)# crl configure ciscoasa

Count number of lines - 'findstr'

How do I count number of lines in a command output? findstr /r/n "^" | find /c ":" Above commands will display number of lines output by whatever command (well, nearly whatever) you specify in the front.  For example:  C:\>ping localhost | findstr /r/n "^" | find /c ":" FINDSTR: // ignored 12 This comes handy if you want to find out how many OUs you have in Active Directory: dsquery ou  -limit 0 | findstr /r/n "^" | find /c ":" How many user accounts there are: dsquery user -limit 0 | findstr /r/n "^" | find /c ":" Computers: dsquery computer -limit | findstr /r/n "^" | find /c ":"