Router's responses to port scans

Recently I was trying to figure out what the various port states reported by Nmap really mean. This is what's actually going on:

  • If a packet is intercepted by a router's access-list, the router sends back an ICMP administratively prohibited packet. This is reported as filtered port by Nmap (and probably as stealth port by some other scanners).
  • If you do a TCP SYN scan of a router and the scanned port is not active, the router sends back TCP RST packet. This is reported as closed port.
  • If you perform a UDP scan of a router, the router sends back ICMP port unreachable message if the UDP application is not active. This is reported by Nmap as filtered port (even though in most cases it should be equivalent to closed TCP port).
  • In some cases, the router simply doesn't reply to UDP scans (for example, if you scan the discard service). This is reported as Open¦Filtered (as the scanner cannot reliably determine whether the probe was dropped due to a filter or simply not replied to).

Note: In any case, UDP scans are way more unreliable than TCP scans due to connectionless nature of UDP.

Below you'll find the debugging outputs for the most common conditions:

Successful TCP scan

Debugged with debug ip tcp packet
tcp0: I LISTEN 172.16.10.34:49620 172.16.0.1:80 seq 2116160324
OPTS 4 SYN WIN 1024
tcp0: O SYNRCVD 172.16.10.34:49620 172.16.0.1:80 seq 3992162774
OPTS 4 ACK 2116160325 SYN WIN 4128
tcp0: I SYNRCVD 172.16.10.34:49620 172.16.0.1:80 seq 2116160325
RST WIN 0

TCP scan of a closed port

Debugged with debug ip tcp packet
tcp0: I LISTEN 172.16.10.34:50434 172.16.0.1:80 seq 1431055709
OPTS 4 SYN WIN 1024
TCP: sent RST to 172.16.10.34:50434 from 172.16.0.1:80

TCP scan blocked by an access-list

Debugged with debug ip icmp
ICMP: dst (172.16.0.1) administratively prohibited unreachable sent to 172.16.10.34

UDP scan of an unreachable port

Debugged with debug ip udp and debug ip icmp
UDP: rcvd src=172.16.10.34(37312), dst=172.16.0.1(8), length=8
ICMP: dst (172.16.0.1) port unreachable sent to 172.16.10.34

1 comment:

  1. Nmap has also a very useful command line option, which helps to understand, which packets the tool has sent/received. It's called --packet-trace. It shows you which packets, nmap is sending and which ones it has received, simmilar to the debug output.

    Example:

    nmap -sS -n -P0 -p 80 --packet-trace www.heise.de

    Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-13 12:42 Westeuropõische S
    ommerzeit
    SENT (0.5000s) TCP 10.1.3.131:48805 > 193.99.144.85:80 S ttl=53 id=21245 iplen=44 seq=1230587665 win=2048 mss 1460
    RCVD (0.5160s) TCP 193.99.144.85:80 > 10.1.3.131:48805 SA ttl=247 id=41420 iplen=44 seq=2583668031 win=4182 ack=1230587666 mss 1394
    Interesting ports on 193.99.144.85:
    PORT STATE SERVICE
    80/tcp open http

    Nmap finished: 1 IP address (1 host up) scanned in 0.563 seconds

    best regards,

    Jochen

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.