Skip to content

09. Nmap Firewall Detection(ACK Probing)

  1. nmap -sA 192.168.1.1 --reason
    • Purpose: Runs an ACK scan and includes the reason for each port status in the output.
    • How It Works:
      • Sends TCP packets with the ACK flag set.
      • The target's response indicates whether a port is filtered or unfiltered:
        • Filtered: No response or an ICMP unreachable error is received, indicating that a firewall or filtering device is blocking the port.
        • Unfiltered: An RST packet is received, meaning the port is reachable but not necessarily open.
    • Use Case:
      • To determine if a firewall is present and how it is filtering traffic.
      • Helpful for mapping firewall rules without triggering alarms, as ACK packets are less likely to be flagged.
    • --reason Option: Displays why a port is considered filtered or unfiltered, based on the type of response (e.g., RST packet, ICMP message).
  1. nmap -sA 192.168.1.1 -p 22 --reason
    • Purpose: Runs an ACK scan targeting port 22 (typically used by SSH) and includes the reason for the port status.
    • How It Works:
      • Same logic as the previous command, but it specifically probes only port 22.
      • Filtered: Indicates that port 22 is blocked by a firewall or filter.
      • Unfiltered: Indicates that port 22 is reachable, but it does not confirm whether the port is open.
    • Use Case:
      • Specifically checks if a firewall is filtering port 22 (e.g., to see if SSH traffic is allowed or blocked).
      • The --reason flag provides more clarity by explaining the port status based on received responses.

Key Takeaways

  • ACK scans (-sA) do not determine if a port is open; instead, they determine if it is filtered or unfiltered.
  • Adding the --reason flag enhances output by explaining the basis for each port's classification (e.g., RST, ICMP unreachable).
  • Targeted Scans (-p): Specifying a port focuses the scan on that port, saving time and providing detailed results for critical services (e.g., SSH, HTTP).
  • Useful in scenarios where you want to assess firewall rules and understand network filtering mechanisms without performing intrusive scans.