Nmap Port States

In this section we undertand various port states associated with Nmap

Where various port scanners, categorize ports as either open or closed, Nmap categorizes them into six states, providing us with a better understanding and more granular details of the port.

These states are not the default states but it is how Nmap perceives them.

The Six port states

  1. open - Finding these ports is the primary goal, these are the ports where applications are actively accepting the TCP, UDP or SCTP connections. Each open port is can be a route for an attack. These open ports are what attackers and pentester are looking after. They also show us the service available and running.

  2. closed - These ports are accessible they receive and respond to Nmap packets. However, there is no application listening on it. They are useful in multiple ways, 1) host discovery 2) Ping Scanning and 3) OS detection. The ports are reachable but are usually blocked by a firewall which puts them in a filtered state.

  3. filtered - Here Nmap cannot determine whether the port is open or not because packet filtering prevents the Nmap probe from reaching the port. This filtering could be from the firewall device, router rules or host-based firewall software. They provide very little information. These ports sometimes respond with ICMP error messages for instance "destination unreachable: communication administratively prohibited". Such situations can slow down the Nmap scans drastically because the filtering, makes Nmap retry several times just in case the probe was dropped due to network congestion.

  4. unfiltered - in this state the port is accessible. However, Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map the firewall ruleset, classifies ports into this state. Scanning unfiltered ports with other types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

  5. open | filtered: Nmap can not figure out whether the port is open or filtered. Here the open ports give no response. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

  6. closed | filtered: Nmap is not able to determine whether the port is closed or filtered. it is only used for the IP ID idle scan

PreviousPorts and Associated ServiceNextNmap Scanning

Last updated