Re: Port state nmap

[Daniel Miller <bonsaiviking () gmail com>]

On Fri, Jun 27, 2014 at 8:36 AM, Maurice Sanders <m.sanders () i-fourc com>
wrote:

> Hi,
>
> I read in the documentation about the port states.
> Eg I have te following closed port when accessing a server from the
> outside: 119/tcp  closed nntp
> System administrator says the port is blocked on the FW, but according
> your documentation the port is still accessible, only no application is
> listening to it.
>
> Can you give me some more details/info.
>
> Met vriendelijke groet / With kind regards,
> [cid:image008.jpg@01CF7441.586BCDB0]<
> http://www.i-fourc.nl/users/maurice-sanders>

Maurice,

The "closed" port state indicates that a RST was received in response to a
SYN packet to that port, but it does not necessarily follow that the RST
originated from the host that you are scanning. A firewall could send the
response on its behalf, preventing access to the host on that port. In
other words, a firewall does not always simply drop traffic, but sometimes
responds in order to stop communication. The response could also have been
an ICMP message (e.g. Port Unreachable or Administratively Prohibited).

If you know of a port that is open to the host, you can check which ports
the firewall is blocking in this manner by using the firewalk NSE script (
http://nmap.org/nsedoc/scripts/firewalk.html) or by checking Nmap's XML
output for the reason_ttl attribute, which shows how many hops were left on
the response packet when it arrived; if some packets have higher TTLs, then
they were sent by a closer system, i.e. a firewall between you and the
scanned host.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/