Securing Network Infrastructure
上QQ阅读APP看书,第一时间看更新

How to identify open ports

The following are the six port states that are present in Nmap:

  • open: This means that the port is functioning and has a service running or accessing it. The service can thus accept any connections made as per the protocol and service in use on this port.
  • closed: A closed port is not being accessed by any service, there is no service running on it. Thus, no connections made externally will be successful on these ports.
  • filtered: This status is associated with ports from which no response was received due to the packet filtering mechanism present within the network.  This might be caused by an intermediate network protection device.
  • unfiltered: This status is associated with the ports that Nmap was not able to determine whether they were open or closed. Mostly ACK scan labels ports to be in unfiltered state; moreover, scans such as SYN and FIN can help resolve such issues.
  • Open|filtered: Nmap classifies ports with this type when no response is received from them. The UDP, IP protocol, FIN, NULL, and Xmas scans associate this status with the ports.
  • closed|filtered: This status is associated with ports that Nmap was not able to determine whether they were open or closed. Only idle scans use this status. Nmap provides various scan options for the user to craft a packet to obtain the desired result for Nmap to classify whether the port is open or closed. Most of these scan types are only allowed for administrative users because they have access to creating and sending raw packets.
  • -sS (TCP SYN Scan): This is also called a half-open scan because TCP requires a three-way handshake to be completed before a connection is established. The Nmap machine generates a TCP SYN packet to which the remote port responds with TCP ACK, and then instead of sending a SYN/ACK packet, Nmap sends an RST flag to destroy the handshake, thereby preventing a connection. The port is considered if the Nmap SYN packet receives an ACK or SYN packet as a response.
  • -sT (TCP connect scan): If a user does not have the required privileges to send a raw packet, or when a SYN scan is not an option, a TCP connect scan is used. As the name suggests, Nmap performs a complete three-way handshake and creates a connection to consider a port to be open.
  • -sU (UDP scans): UDP scans send a packet to well-known ports, such as 53 and 61, and it can then be performed on all ports. It sends protocol-specific packets to the famous ports and a generic UDP packet to the remaining ports. If the ports scanned return an ICMP unreachable error, then the port is closed. But if there is no response from a port it is marked as open filtered. In order to find out whether the port is actually running a service and is open, we can run a service detection scan.
  •  -sY (SCTP INIT scan): The SCTP INIT scan has already been discussed in the How to perform host discovery section. In order to perform this scan, there should be a running SCTP module.
  • -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans): In order to perform a deeper probe, Nmap provides an option to craft packets with different flags, such as FIN, PSH, and URG. If no flags are set, then it is called a Null scan. If FIN flags are set, then it is called a FIN scan, and if all three flags are set, then it is called an Xmas scan.
  • -sA (TCP ACK scan): The TCP ACK scan has already been discussed in the How to perform host discovery section.
  •  -sW (TCP Window scan): The TCP Window scan works by the value of the TCP Window field of the RST packets received. Most systems have a window of zero for the RST packet of closed ports and a positive value for the open ports. This lists the port as closed instead of unfiltered once the RST packet is received.
  • --scanflags (Custom TCP scan): The Custom TCP scan allows a user to set various flags in the TCP packet, such as URG, SYN, ACK, FIN, PSH, URG, and RST, thereby allowing the user to create a custom packet for the probe.
  • -sO (IP protocol scan): This scan allows you to define the protocol for which the scan is being performed, such as TCP, UDP, ICMP, and IGMP, thus a specific packet is created for the probe.
  • -b <FTP relay host> (FTP bounce scan): This allows the user to connect to one FTP host and then relay the files to another FTP host, which is mentioned in the argument.