A varredura padrão (varredura TCP se usuário não privilegiado ou varredura semi-aberta -sS se superusuário) depende do protocolo TCP. (chamado 3-way hanshake)
-
Um cliente (você) emite um SYN, se o servidor responder SYN / ACK: significa que a porta está aberta !
-
Você emite um SYN, se o servidor responder a RST: significa que a porta está perto !
- Você emite um SYN, se o servidor não responder ou responder com erro de ICMP: isso significa que a porta é filtrada . Provavelmente um firewall do IDS / statefull bloqueia sua solicitação)
Para descobrir qual é o status real da porta, você pode:
- use a opção -sV ou -A (detecção de versão, isso ajudará você a determinar qual é o status dessa porta.
- use - tcp-flags SYN, FIN para tentar ignorar o fw.
- use outros tipos de verificação ( link )
O excelente livro " Nmap Network Discovery ", escrito por seu criador, Fyodor, explica isso muito bem. Cito
filtered : Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This sort of filtering slows scans down dramatically.
open|filtered : Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
closed|filtered : This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID Idle scan discussed in Section 5.10, "TCP Idle Scan (-sl)