Since we've already covered basic networking—including the TCP three-way handshake—in Chapter 2, Network Fundamentals, you already know what it means for a port to be open
, and how that can usually be determined. However, in certain edge cases (and especially for the filtered
ports), understanding Nmap's logic behind open, closed, and filtered ports can be extremely useful to understand.
You can determine how Nmap reaches its conclusions by using the --reason
flag.
As demonstrated in the preceding screenshot, a fourth column is now added to the scan after the --reason
flag is invoked. In this case, we can clearly see that the three services that were identified as online were done so because of syn-ack, indicating a SYN/ACK response to a SYN request—once we see that a service on a given port is attempting to complete the TCP three-way handshake, we know that there is something listening.