Open-Closed Ports
Contents
Note: If you need a better view of the image, you can right click on the image -> Open image in a new tab.
Here is a simple trick I used to determine if a port is closed or open in Wireshark. In nmap, there are two different type of port scans:
- Basic Port Scans - (TCP Connect Scan), (TCP SYN port scan), (UDP port scan)
- Advanced Port Scans - NULL, FIN, XMAS, Zombie Scan
When trying to figure out if the port is open, it can differ depending on the scan.
However, for figuring out if the port is closed (from a packet analysis), this simple rule applies:
- If the server respond with a RST, ACK. Then you will know that port is closed.
Basic Scan
When running a TCP connect scan (-sT), an open port would fall in this sequence:
- Client send a SYN to the Server
- Server send a SYN-ACK to the Client
- Client send a ACK to the Server
- Client send a RST, ACK to the Server
When running a TCP SYN scan (-sS), an open port would fall in this sequence:
- Client send a SYN to the Server
- Server send a SYN-ACK to the Client
- Client send a ACK to the Server
- Client send a RST, ACK to the Server
When running a UDP scan (-sU), an open port would fall in this sequence:
- Client send a UDP to the Server
- Server send a ICMP Type 3, Code 3 to the Client (Port Unreachable)
Advanced Scan:
When running a Null scan (-sN), an open port would fall in this sequence:
- Client send a NULL packet to the Server
- Server doesn't respond back
- This lead to open|filtered
- Client send a FIN packet to the Server
- Server doesn't respond back
- This lead to open|filtered
- Client send a FIN packet to the Server
- Server doesn't respond back
- This lead to open|filtered
- Client send a ACK packet to the Server
- Server respond back with a RST
- This lead the TCP port to be open or closed.
- Client send a ACK packet to the Server
- Server respond back with RST
- This lead the TCP port to be open or closed.
That is all that I have for this post. Thanks for reading