Nmap: why is it scanning port 80 with TCP ACK and not SYN

linux-networkingnmap

While reading nmap man pages, I read for the -sn option:

The default host discovery done with -sn consists of an ICMP echo request,
TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request
by default.

I don't understand well the purpose of performing a TCP ACK on port 80.
Since the TCP stack of the targeted server would not process any SYN, it would just drop the received ACK packet, not providing any information to nmap.

For instance, on my private server, it replies to ICMP echo request by a ICMP echo reply, and to TCP SYN port 443 by a TCP SYN-ACK. But no answer are provided with a TCP ACK on port 80.

Many thanks for your lights on the mater

Best Answer

Except when a stateful firewall is in use, ACK probes should elicit a RST packet from both closed and open ports. From Nmap's documentation on the -PA option:

The reason for offering both SYN and ACK ping probes is to maximize the chances of bypassing firewalls. Many administrators configure routers and other simple firewalls to block incoming SYN packets except for those destined for public services like the company web site or mail server. [...] When stateless firewall rules such as this are in place, SYN ping probes (-PS) are likely to be blocked when sent to closed target ports. In such cases, the ACK probe shines as it cuts right through these rules.

Related Solutions

NMAP: Check if port 80 and 8080 is open

Your NMAP command is fine. It's the service you're trying to connect to that is the "problem".

You can find that a "server" has an open port on 80 or 8080 but still not be able to connect it. For instance, I have about three dozen polycom phones that are accessible at port 8080 but they have bum config files. When someone tries to access them at that port they aren't able to connect.

And it may depend on how you're trying to connect. Even though its port 8080 maybe you aren't supposed to use a browser to connect to it.(I know - crazy idea).

Find out what type of device you're trying to connect to using this (you'll need sudo or root):

nmap -sS -O -p80,8080 192.168.1.0/24

Nmap – Why Not Scanning All Ports

By default, Nmap scans the top 1000 most popular ports, according to the statistics generated from Internet-wide scans and large internal network scans from the summer of 2008. There are a few options that change this: -F reduces the number to 100, -p allows you to specify which ports to scan, and --top-ports lets you specify how many of the most popular ports to scan. This means that the default scan is equivalent to --top-ports 1000, and -F is the same as --top-ports 100.

These numbers were set in version 4.75, and were a change from the roughly 1700 (TCP) ports that were the default in version 4.68. The purpose was to decrease scanning times while still giving reasonable results. The flexibility of Nmap's command-line options guarantees that you can still scan just about any combination of ports that you want, regardless of the defaults.

Scanning all 65536 TCP ports is still possible with -p0-, but it will take a very long time. Scanning all UDP ports with -sU -p0- will take even longer, because of the way that open ports are detected.

Best Answer

Related Solutions

NMAP: Check if port 80 and 8080 is open

Nmap – Why Not Scanning All Ports

Related Topic