#SecureSenses --verbose

ACK scan is meant to be used for mapping firewall rule sets rather than discovering listening ports on hosts. As we can see below all combinations gave the same result.   TCP ACK Service State No Firewall Firewall -sA Listening State: Unfiltered State: Unfiltered nmap target ACK RST nmap target ACK RST Not Listening State: Unfiltered State: Unfiltered nmap target ACK RST nmap target ACK RST

In TCP connect scan NMAP attempts to establish a full TCP connection (syn + syn,ack + ack) and then close it (rst,ack). Looking at the below table we can see that both listening and not listening firewalled ports respond with packets (segments to be more correct) that have the same flags set (rst,ack). NMAP is still able to distinguish the state (filtered vs closed). It must be using some other properties of the packet.  TCP Connect Service State No Firewall Firewall -sT Listening State: Open State: Filtered nmap target nmap nmap SYN SYN,ACK ACK RST,ACK nmap target SYN RST,ACK Not Listening State: Closed State: Closed nmap target SYN RST,ACK nmap target SYN RST,ACK Table info can be found here .

I've always struggled with various port states reported by nmap ( http://nmap.org ). Different scan types report different port states for listening but firewalled ports, listening accessible ports or not listening and so on.  To make my life easier I decided to create tables of most common scan types. I armored myself with Wireshark and did some testing. I used a Windows Firewall running on the scanned machine (called target) for the purpose of this lab. Service State: Listening - means that there is a valid service listening on the scanned port Service State: Not Listening - there is nothing on the scanned port No Firewall column - firewall is off Firewall column - scanned port is firewalled   In a SYN scan NMAP attempts to establish a half-open TCP connection (syn + syn,ack + rst,ack). TCP SYN Service State No Firewall Firewall -sS Listening State: Open State: Filtered nmap target    nmap