After capturing packets of an nmap scan: nmap –PN –scanflags PSHSYN –g 53 –p 22,80 [target] I found one respond from the target with ACK and RST flags set on port 80 I also found 4 responds from the target with ACK and SYN flags set on port 22 Does it indicate that the ports are open or closed ? I was thinking that if you get a respond with ACK and RST flags set for port 80 it means that it is closed, however I am not sure if port 22 is closed or open. I also do not know why I have one respond packet for port 80(http) but four for port 22(ssh). Thanks for your help asked 05 Nov '12, 18:15  tomala edited 05 Nov '12, 18:33 |
2 Answers:
If you get a SYN,ACK for a SYN packet (your nmap scan on port 22), that most certainly means, that the port is open. However, it is hard to say why you get 4 responses without some information about the environment and the full capture file. Maybe nmap sent 4 SYN packets and thus you received 4 SYN,ACK !?! If you want to know if the port is open, just open a connection to it. If you see the banner of the ssh daemon, the port is obviously open. UPDATE
if that was caused by the same nmap scan, there could be "something" between the nmap scanner and the target that generated the answer packets. This "something" could be a firewall with a REJECT rule for port 80 and possibly some SYN Defender module for port 22. However, it would still be unclear why you get 4 answer packets for one SYN packet on port 22. As I said: Without further information about the environment and without the full capture file, it's hard to make any good assumptions. Regards answered 06 Nov '12, 01:15  Kurt Knochner ♦ edited 06 Nov '12, 01:43 |
The RST flag on port 80 means it is closed but not firewalled. If you get SYN/ACK flags on port 22 it means it is open and responds to connection requests. answered 06 Nov '12, 01:16  Jasper ♦♦ |
could'nt it be a firewall with a REJECT rule instead of a DROP rule?
yep, agreed, but that is very uncommon :-)