Ports Showing Closed/Filtered in Nmap Scans Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Why does an nmap -sT scan show ports filtered but -sS shows ports closedFirewalk through a Firewall on our subnetnmap OS scan showing DD-WRT when I'm not running it?What are the security implications of allowing all incoming connections in a firewall on a typical Windows server?Samba open ports, not being filteredSorting hosts via open ports using NMapOpen Ports (WAN side) on Netgear R7000 Router using nmapNmap only detect virtual hosts and not physical hosts (maybe segmented network)NMAP - Closed vs Filterednmap not showing closed ports
What does this Jacques Hadamard quote mean?
When the Haste spell ends on a creature, do attackers have advantage against that creature?
How come Sam didn't become Lord of Horn Hill?
Can you use the Shield Master feat to shove someone before you make an attack by using a Readied action?
Is it common practice to audition new musicians 1-2-1 before rehearsing with the entire band?
Maximum summed powersets with non-adjacent items
For a new assistant professor in CS, how to build/manage a publication pipeline
Irreducible of finite Krull dimension implies quasi-compact?
Amount of permutations on an NxNxN Rubik's Cube
Is it fair for a professor to grade us on the possession of past papers?
Crossing US/Canada Border for less than 24 hours
Most bit efficient text communication method?
Why are there no cargo aircraft with "flying wing" design?
Should I use a zero-interest credit card for a large one-time purchase?
Is safe to use va_start macro with this as parameter?
How do I find out the mythology and history of my Fortress?
How to compare two different files line by line in unix?
Circuit to "zoom in" on mV fluctuations of a DC signal?
What is the meaning of the simile “quick as silk”?
Is grep documentation wrong?
Withdrew £2800, but only £2000 shows as withdrawn on online banking; what are my obligations?
Using audio cues to encourage good posture
What is the longest distance a player character can jump in one leap?
An adverb for when you're not exaggerating
Ports Showing Closed/Filtered in Nmap Scans
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Why does an nmap -sT scan show ports filtered but -sS shows ports closedFirewalk through a Firewall on our subnetnmap OS scan showing DD-WRT when I'm not running it?What are the security implications of allowing all incoming connections in a firewall on a typical Windows server?Samba open ports, not being filteredSorting hosts via open ports using NMapOpen Ports (WAN side) on Netgear R7000 Router using nmapNmap only detect virtual hosts and not physical hosts (maybe segmented network)NMAP - Closed vs Filterednmap not showing closed ports
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
hopefully this isn't a stupid question.. I am running some nmap scans and I get a list of ports that show closed. Why would they even show in the scan report? Can these be exploited further with other nmap switches such as zombie scans etc? I specified all ports in my scan using -p- .My thought is that it would show a large list of all closed ports on my system not just those?
Here is the command I ran: nmap -iL axisips.txt -A -sV -p- > axisnmapresults2.txt
Host is up (0.062s latency).
Not shown: 65525 filtered ports
PORT STATE SERVICE VERSION
17/tcp closed qotd
19/tcp closed chargen
25/tcp closed smtp
111/tcp closed rpcbind
136/tcp closed profile
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
firewalls nmap ports port-knocking
asked 11 hours ago
john_zombiejohn_zombie
7611
add a comment |
hopefully this isn't a stupid question.. I am running some nmap scans and I get a list of ports that show closed. Why would they even show in the scan report? Can these be exploited further with other nmap switches such as zombie scans etc? I specified all ports in my scan using -p- .My thought is that it would show a large list of all closed ports on my system not just those?
Here is the command I ran: nmap -iL axisips.txt -A -sV -p- > axisnmapresults2.txt
Host is up (0.062s latency).
Not shown: 65525 filtered ports
PORT STATE SERVICE VERSION
17/tcp closed qotd
19/tcp closed chargen
25/tcp closed smtp
111/tcp closed rpcbind
136/tcp closed profile
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
firewalls nmap ports port-knocking
asked 11 hours ago
john_zombiejohn_zombie
7611
what were the port nos?
– JOW
9 hours ago
1
Added in Original post
– john_zombie
9 hours ago
add a comment |
hopefully this isn't a stupid question.. I am running some nmap scans and I get a list of ports that show closed. Why would they even show in the scan report? Can these be exploited further with other nmap switches such as zombie scans etc? I specified all ports in my scan using -p- .My thought is that it would show a large list of all closed ports on my system not just those?
Here is the command I ran: nmap -iL axisips.txt -A -sV -p- > axisnmapresults2.txt
Host is up (0.062s latency).
Not shown: 65525 filtered ports
PORT STATE SERVICE VERSION
17/tcp closed qotd
19/tcp closed chargen
25/tcp closed smtp
111/tcp closed rpcbind
136/tcp closed profile
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
firewalls nmap ports port-knocking
asked 11 hours ago
john_zombiejohn_zombie
7611
hopefully this isn't a stupid question.. I am running some nmap scans and I get a list of ports that show closed. Why would they even show in the scan report? Can these be exploited further with other nmap switches such as zombie scans etc? I specified all ports in my scan using -p- .My thought is that it would show a large list of all closed ports on my system not just those?
Here is the command I ran: nmap -iL axisips.txt -A -sV -p- > axisnmapresults2.txt
Host is up (0.062s latency).
Not shown: 65525 filtered ports
PORT STATE SERVICE VERSION
17/tcp closed qotd
19/tcp closed chargen
25/tcp closed smtp
111/tcp closed rpcbind
136/tcp closed profile
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
firewalls nmap ports port-knocking
firewalls nmap ports port-knocking
asked 11 hours ago
john_zombiejohn_zombie
7611
asked 11 hours ago
john_zombiejohn_zombie
7611
edited 9 hours ago
john_zombie
asked 11 hours ago
john_zombiejohn_zombie
7611
asked 11 hours ago
john_zombiejohn_zombie
7611
asked 11 hours ago
john_zombiejohn_zombie
7611
7611
what were the port nos?
– JOW
9 hours ago
1
Added in Original post
– john_zombie
9 hours ago
add a comment |
what were the port nos?
– JOW
9 hours ago
1
Added in Original post
– john_zombie
9 hours ago
what were the port nos?
– JOW
9 hours ago
what were the port nos?
– JOW
9 hours ago
1
1
Added in Original post
– john_zombie
9 hours ago
Added in Original post
– john_zombie
9 hours ago
add a comment |
1 Answer
1
active
oldest
votes
To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.
In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:
- Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.
- The target's firewall is allowing those ports, but there is no service running on them.
EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).
answered 9 hours ago
bonsaivikingbonsaiviking
9,3561842
So just because its showing closed it means its not running but available?
– john_zombie
9 hours ago
@john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."
– bonsaiviking
9 hours ago
so nothing here to report on my pentest? Seems like the firewall is doing its job.
– john_zombie
6 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207605%2fports-showing-closed-filtered-in-nmap-scans%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.
In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:
- Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.
- The target's firewall is allowing those ports, but there is no service running on them.
EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).
answered 9 hours ago
bonsaivikingbonsaiviking
9,3561842
So just because its showing closed it means its not running but available?
– john_zombie
9 hours ago
@john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."
– bonsaiviking
9 hours ago
so nothing here to report on my pentest? Seems like the firewall is doing its job.
– john_zombie
6 hours ago
add a comment |
To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.
In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:
- Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.
- The target's firewall is allowing those ports, but there is no service running on them.
EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).
answered 9 hours ago
bonsaivikingbonsaiviking
9,3561842
So just because its showing closed it means its not running but available?
– john_zombie
9 hours ago
@john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."
– bonsaiviking
9 hours ago
so nothing here to report on my pentest? Seems like the firewall is doing its job.
– john_zombie
6 hours ago
add a comment |
To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.
In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:
- Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.
- The target's firewall is allowing those ports, but there is no service running on them.
EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).
answered 9 hours ago
bonsaivikingbonsaiviking
9,3561842
To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.
In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:
- Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.
- The target's firewall is allowing those ports, but there is no service running on them.
EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).
answered 9 hours ago
bonsaivikingbonsaiviking
9,3561842
edited 8 hours ago
answered 9 hours ago
bonsaivikingbonsaiviking
9,3561842
answered 9 hours ago
bonsaivikingbonsaiviking
9,3561842
answered 9 hours ago
bonsaivikingbonsaiviking
9,3561842
9,3561842
So just because its showing closed it means its not running but available?
– john_zombie
9 hours ago
@john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."
– bonsaiviking
9 hours ago
so nothing here to report on my pentest? Seems like the firewall is doing its job.
– john_zombie
6 hours ago
add a comment |
So just because its showing closed it means its not running but available?
– john_zombie
9 hours ago
@john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."
– bonsaiviking
9 hours ago
so nothing here to report on my pentest? Seems like the firewall is doing its job.
– john_zombie
6 hours ago
So just because its showing closed it means its not running but available?
– john_zombie
9 hours ago
So just because its showing closed it means its not running but available?
– john_zombie
9 hours ago
@john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."
– bonsaiviking
9 hours ago
@john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."
– bonsaiviking
9 hours ago
so nothing here to report on my pentest? Seems like the firewall is doing its job.
– john_zombie
6 hours ago
so nothing here to report on my pentest? Seems like the firewall is doing its job.
– john_zombie
6 hours ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207605%2fports-showing-closed-filtered-in-nmap-scans%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
what were the port nos?
– JOW
9 hours ago
1
Added in Original post
– john_zombie
9 hours ago