Detecting Open, Closed, Filtered, and Unfiltered Ports with Nmap

Introduction

Nmap (Network Mapper) is one of the most powerful and widely used tools for network discovery and security auditing. Among its various capabilities, one of the key functions of Nmap is port scanning, which allows users to detect open, closed, filtered, and unfiltered ports on a target system. Understanding the state of these ports is crucial for network administrators, penetration testers, and security professionals to assess potential vulnerabilities and strengthen security measures.

This article provides a comprehensive guide on how Nmap detects different port states, the techniques used, and how to interpret scan results effectively.

Understanding Port States in Nmap

When performing a scan with Nmap, the tool categorizes ports into different states based on how they respond to probes. These states include:

1. Open
2. Closed
3. Filtered
4. Unfiltered

Each of these states provides insight into the security configuration of a system and helps in determining possible vulnerabilities.

1. Open Ports

An open port is one that is actively listening for incoming connections. These ports indicate that a service is running and ready to communicate over the network. For example, a web server running on port 80 or an SSH service on port 22 will be classified as open if they are actively accepting connections.

How Nmap Detects Open Ports

Nmap detects open ports using:

• TCP SYN Scan (-sS): Sends a SYN packet and waits for a SYN-ACK response, indicating an open port.
• TCP Connect Scan (-sT): Uses a full three-way handshake to determine if a port is open.
• UDP Scan (-sU): Sends UDP packets to the target ports; if a response is received, the port is considered open.

2. Closed Ports

A closed port is accessible but not running any services. It responds with a TCP RST (Reset) packet if probed, meaning there is no application listening on that port. While closed ports do not pose an immediate security risk, they indicate that the host is reachable, which might still provide useful information to attackers.

How Nmap Detects Closed Ports

• TCP SYN Scan (-sS): If a SYN packet is sent and an RST packet is received, the port is considered closed.
• TCP Connect Scan (-sT): The connection attempt is met with an RST response.
• UDP Scan (-sU): If an ICMP Port Unreachable (Type 3, Code 3) message is received, the port is closed.

3. Filtered Ports

Filtered ports are those that Nmap cannot determine whether they are open or closed due to interference from firewalls, intrusion detection systems, or other security measures. When a port is filtered, Nmap does not receive a response or may receive an ICMP unreachable message.

How Nmap Detects Filtered Ports

• TCP SYN Scan (-sS): If no response is received or an ICMP “Destination Unreachable” message is returned, the port is considered filtered.
• UDP Scan (-sU): If an ICMP “Destination Unreachable” message other than Type 3, Code 3 is received, the port is filtered.
• ACK Scan (-sA): Used specifically to detect whether a firewall is filtering traffic; if there is no response or an ICMP error, the port is filtered.

4. Unfiltered Ports

An unfiltered port is one that is accessible but Nmap cannot determine whether it is open or closed. This usually happens when using an ACK scan to check for firewall rules, as ACK packets do not elicit responses from open or closed ports.

How Nmap Detects Unfiltered Ports

• ACK Scan (-sA): If an RST response is received, it means the port is unfiltered, indicating that it is reachable but does not necessarily mean it is open.
• NULL, FIN, and Xmas Scans (-sN, -sF, -sX): If an RST packet is received, the port is unfiltered but likely closed.

Common Nmap Scanning Techniques

Nmap offers multiple scanning techniques to detect port states accurately. The choice of technique depends on the goal of the scan and the target’s security configuration.

1. TCP SYN Scan (-sS)

This is the most common and stealthy scan. It sends a SYN packet and waits for a SYN-ACK response (indicating an open port) or an RST response (indicating a closed port). If there is no response, the port is filtered.

nmap -sS [target]

2. TCP Connect Scan (-sT)

This scan performs a full TCP handshake. It is less stealthy than a SYN scan and is usually used when SYN scan requires special privileges.

nmap -sT [target]

3. UDP Scan (-sU)

Since UDP is connectionless, scanning UDP ports is more challenging. Nmap sends UDP packets and interprets responses to determine whether ports are open, closed, or filtered.

nmap -sU [target]

4. ACK Scan (-sA)

Used primarily for firewall rule detection, this scan sends an ACK packet and checks for responses to determine whether ports are filtered or unfiltered.

nmap -sA [target]

5. NULL, FIN, and Xmas Scans (-sN, -sF, -sX)

These scans send packets with unusual flag combinations to bypass firewalls and detect filtered ports.

nmap -sN [target]
nmap -sF [target]
nmap -sX [target]

Interpreting Nmap Results

Once an Nmap scan is completed, results are displayed with port numbers, their state, and the corresponding services. A typical output might look like:

PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  filtered https
25/tcp   closed   smtp

• Open Ports (open): Services running on these ports are accessible.
• Closed Ports (closed): No active service, but the host is reachable.
• Filtered Ports (filtered): A firewall is blocking access.
• Unfiltered Ports (unfiltered): The port is reachable but its state is unclear.

Conclusion

Understanding how Nmap detects open, closed, filtered, and unfiltered ports is essential for network security analysis. By using different scanning techniques, security professionals can gain valuable insights into the security posture of a network and take necessary actions to mitigate risks.

For ethical use, always ensure you have permission before scanning any network, as unauthorized scanning can be considered illegal in many jurisdictions. With the right approach, Nmap remains a powerful tool in the arsenal of cybersecurity experts, aiding in network defense and vulnerability assessment.