Understanding Guide for NMAP Ping Scan (Firewall Bypass)

In this article we are going to scan the target machine with different Nmap ping scans and the response packets of different scans can be confirmed by analysis of Nmap traffic through Wireshark.

Ping scan in nmap is done to check if the target host is alive or not. As we know that ping by default send the ICMP echo request and gets an ICMP echo reply if the system is alive. Ping scan by default send an ARP packet and gets a response to check if the host is up.

Nmap scans changes their behavior according to the network they are scanning.

·         Scanning Local Network with Nmap where nmap sends an ARP packet with every scan

·         If an external network is to be scanned; Nmap sends following request packets:

1.       ICMP echo request

2.       ICMP timestamp request

3.       TCP SYN to port 443

4.       TCP ACK to port 80

In this article we are using –disable-arp-ping attribute for changing the behavior of nmap scans to treat a local network as an public network.

Let’s Start!!

Ping Sweep

In order to identify live host without using ARP request packet Nmap utilize –sP option which is known as Ping Sweep Scan. We can use –sn flag which mean no port scan also know as ping scan.

nmap –sP 192.168.1.104 –disable-arp-ping

or

nmap –sn 192.168.1.104 –disable-arp-ping

From given below image you can observe it found 1 Host is up. Since we have disables Arp request packet for local network scans by using parameter –disable-arp-ping therefore here it will treat it as an external network and behave accordingly that as discussed above.

Demonstrating working of Ping Sweep using wireshark

From given below image you can observer following packet of request and reply between both network IP

1.       ICMP echo request

2.       TCP SYN to port 443

3.       TCP ACK to port 80

4.       ICMP timestamp request

5.       ICMP echo reply

6.       TCP RST, ACK to port 443

7.       TCP RST to port 80

8.       ICMP timestamp Reply

Block Ping Sweep Scan

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan

sudo iptables -I INPUT -p ICMP -j DROP

sudo iptables -I INPUT -p tcp --tcp-flags ALL ACK --dport 80 -j DROP

sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN --dport 443 -j DROP

Now repeat again ping sweep scan for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Again demonstrating request packets of Ping Sweep scan with wireshark and if you notice given below image then you will found that this time it has not received any reply packet.

Bypass Ping Sweep Filter using TCP SYN Ping

Now, we’ll try to bypass the firewall rules by using ping scan with TCP SYN packets, for that we’ll use –PS attribute. –PS sends TCP SYN packet on port 80 by default; we can change it by specifying the ports with it, like: -PS443.

nmap -sP -PS 192.168.1.104 --disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

From given below image you can observe that it is showing result which similar to NMAP stealth scan. Here it is following TCP Half connection mechanism where SYN packet is send on port 80 and received SYN, ACK from port 80 and then RST packet for reset connection

The difference between –sP packet on port 80 and –PS packet on port 80 is as following:

·         Ping sweep scan [-sp] send TCP ACK packet on port 80 and hex value of ACK flag is 10, as reply from host machine it receives RST packet whose hex value is 4.

·         TCP SYN Ping scan send TCP SYN packet on port 80 and its hex value is 2, as reply it received SYN, ACK packet whose value is sum of their hex value i.e. 2 + 10 = 12 and able to bypass above firewall rule applied on port 80 for TCK ACK packet.

Block TCP SYN Ping Scan

Sometimes network admin apply filter as given below using Iptables on TCP SYN packet to drop all SYN packet to initiate TCP connection with all TCP Port in their network.

sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN -j DROP

As result it block the NMAP TCP SYN Ping probes so that it could not identify state of live host.

Now repeat again TCP SYN Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass TCP SYN Ping using TCP ACK Ping

In order to bypass this, we’ll use ping scan using TCP ACK packets, for that we’ll use –PA attribute. –PA sends TCP ACK packet on port 80 by default, we can change it by specifying the ports with it, like: -PA443

nmap -sP -PA 192.168.1.104 --disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

When you will notice given below packets captured by wireshark you will found that here ACK packet is sent on port 80 as reply received RST packet from port 80.

Block TCP ACK Ping Scan

Sometimes network admin apply filter as given below using Iptables on TCP ACK packet to drop all ACK packet to established TCP connection with all TCP Port in their network.

sudo iptables -I INPUT -p tcp --tcp-flags ALL ACK -j DROP

As result it block the NMAP TCP ACK Ping probes so that it could not identify state of live host.

Now repeat again TCP ACK Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass TCP ACK Ping using ICMP Echo

In some scenario network admin apply firewall filter on TCP flag to resist unwanted TCP communication in network, here let’s consider that network admin had blocked TCP communication by applying filter on SYN as well on ACK flag.

In order to bypass this rule we’ll use ping scan with ICMP packets, for that we’ll use –PE attribute. –PE sends ICMP echo request packet [ICMP type 8] and received ICMP echo reply packet [ICMP type 0].

nmap -sP -PE 192.168.1.104 --disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

Block ICMP Echo Ping Scan

Usually most of network admin apply ICMP filter on their network so that other system or network cannot able to Ping their network.

sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

As result it block the NMAP ICMP echo Ping probes so that it could not identify state of live host.

Now repeat again TCP ICMP Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Demonstrating NMAP ICMP echo Ping with wireshark shows only ICMP request packet in network and didn’t received any reply packet from host network as shown in given below image.

Bypass ICMP Echo Ping using ICMP Timestamp Ping

In order to bypass this rule we’ll use ping scan with ICMP packets, for that we’ll use –PP attribute. –PP sends ICMP timestamp request packet [ICMP type 13] and received ICMP timestamp reply packet [ICMP type 14].

nmap -sP -PE 192.168.1.104 --disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

Demonstrating NMAP ICMP timestamp Ping with wireshark shows ICMP timestamp request packet send  in network and  received any timestamp reply packet from host network as shown in given below image.

Block ICMP Ping Scan

It might be possible that network admin had block entire types ICMP message by dropping all ICMP packets using following iptables filter.

sudo iptables -I INPUT -p ICMP -j DROP

As result it block the NMAP ICMP Ping probes so that it could not identify state of live host.

Now repeat again ICMP Ping either –PP or PE for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass ICMP Ping Scan using UDP Ping

We have seen multiple ways to check if the system is live. Now, you can determine whether a system is up or not whether it is on local network or public network.

We had observed that ping scan with ICMP ping is not working or even if TCP packet filter is also enabled in host network then it become difficult to identify live host, now to bypass such types of rule we’ll use ping scan with UDP packets, for that we’ll use –PU attribute.

 –PU sends UDP packet when no ports are specified, the default is 40125, as reply received ICMP message such as “ICMP destination unreachable” which means host is live.

nmap -sP -PU 192.168.1.104 --disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

Demonstrating NMAP UDP Ping with wireshark shows UDP request packet send on 40125 in network and  received ICMP destination unreachable as reply packet from host network as shown in given below image.

Block UDP and Ping Sweep

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan as well as Drop UDP packet. Might be network admin had blocked entire TCP packet.

sudo iptables -I INPUT -p ICMP -j DROP

sudo iptables -I INPUT -p tcp --tcp-flags ALL ACK --dport 80 -j DROP

sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN --dport 443 -j DROP

sudo iptables -I INPUT -p udp -j DROP

As result it will resist NMAP for making TCP Ping, ICMP Ping and UDP ping so that it could not identify state of live host.

Now repeat again UDP Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass UDP and Ping Sweep using Protocol Scan

Using Protocol Ping scan we can identify live host when ICMP, TCP and UDP has been blocked, for that we’ll use –PO attribute. –PO sends IP packet with the particular protocol number place in their IP header, If no protocols are precise, the default is to send multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).

nmap -sP -PO 192.168.1.104 --disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

From given below image of wireshark we can observe the following mechanism followed by Protocol ping scan.

·         Send ICMP Echo to host network

·         Send IGMP query to host network

·         Send IPv4 (IP-in-IP) to host network

·         Received ICMP Destination unreachable as reply from Host

Block IP Protocol Ping Scan

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan as well as Drop UDP packet and IP protocol too in network to prevent the network from any kind of Ping scan. Might be network admin had blocked entire TCP packet.

sudo iptables -I INPUT -p ICMP -j DROP

sudo iptables -I INPUT -p tcp --tcp-flags ALL ACK --dport 80 -j DROP

sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN --dport 443 -j DROP

sudo iptables -I INPUT -p UDP -j DROP

sudo iptables -I INPUT -p IP -j DROP

As result it will resist NMAP for making TCP Ping, ICMP Ping, UDP ping and Protocol ping so that it could not identify state of live host.

Now repeat again Protocol Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass IP protocol Ping using No Ping Scan

Now when above all Ping scan get failed to identify state of Host is up or down then we choose the last and best option “No Ping” for we will use –PN/-P0/-Pn and basically perform TCP port scan for top 1000 ports.

 If you want to prevent Port scan and ping scan use sweep ping with no ping as given below to identify state of host is up or down.

nmap -sP -PN 192.168.1.104 --disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

Manual Post Exploitation on Windows PC (Network Command)

Hello friends!! Today you will learn how penetrate a network for enumerating any information of a system once it is compromised by any attacker.

Requirement

Attacker: Kali Linux

Targets: Windows operating system

Open Kali Linux terminal and type msfconsole in order to load metasploit framework.  Now you need to compromise victim’s machine once to achieve any type of session either metrepreter or shell and to do so you can read our previous article from here. Now to make Post Exploitation, we will need an Administrator Privileged shell, which can be found here.

Get Information about Network Cards

We can enumerate information about the Network Interface Cards using the systeminfo command.

Information can be extracted:

Number of NIC Cards, Manufacturer of NIC Cards, Model, Type (Wireless or LAN).

Command: systeminfo | findstr Network

From given below image you can observe 2 Network Interface Cards is installed.

Get MAC Address

Arp or Address Resolution Protocol converts the maps the IP Address to the MAC Address of the Devices. Using the arp command we can enumerate the mac addresses of other systems in the same network as the victim’s system.

Here we are using [-a] to get the list of all the entries of arp cache.

Command: arp -a

From given below image you can see the stored Mac address of arp table.

Get DNS Cache

We can enumerate DNS Resolver cache using the ipconfig command.

DNS Resolver is a temporary database, maintained by the operating system. It contains records of all the recent visits or the attempted visits to websites and other internet domains.

Here we are using [/displaydns] to display the complete dns cache.

Command: ipconfig /displaydns

From given below image you can observer following output is contains:

Record Name: Name with which the DNS query was initiated

Record Type: It is a number to represent the IPv4 or IPv6 address (1 is for IPv4 and 28 is for IPv6)

Time To Live: Time in seconds after which cache entry will expire

Data Length: Length of the data in bytes, IPv4 has 4 bytes and IPv6 has 16 bytes

A/AAAA Record: A is the Address of IPv4 and AAAA is the address of IPv6 (Four A because the address is four times in size as compared to IPv4)

Display all the Connections and Listening Ports on a System

While penetration testing a Remote PC, knowledge of all the connections and listening ports along with the Process id is essential so that we can migrate session if needed

This can be done using netstat command

Here we are using following options with netstat command:

[-a] to display all connections and listening ports 

[-n] to display address and port number numerically

[-o] to display the Process ID

Syntax/Example: netstat -ano

Display All the TCP Connections

To enumerate all the TCP connections, we will use netstat command. Here we are using following options with netstat command:

[-a] to display all connections and listening ports 

[-n] to display addresses and port numbers in numeric form

We are going to use findstr command to filter out the Connections which mentions TCP.

Command: netstat -na | findstr TCP

From give below image you can observe that all state of TCP connection i.e. Listening, Established and Close Wait on their respective Port number.

Display All the UDP Connections

To enumerate all the UDP connections, we will use netstat command. Here we are using following options with netstat command:

[-a] to display all connections and listening ports 

[-n] to display addresses and port numbers in numeric form

We are going to use findstr command to filter out the Connections which mentions UDP.

Syntax/Example: netstat -na | find "UDP"

Similarly From give below image you can observe that all state of UDP connection on their respective Port numbers is left blank *:* which means no UDP connection established.

Display All the Established Connections

While penetration testing a Remote PC, knowledge of all Established connections and listening ports is also essential. This can be done using netstat command.

Here we are using following options with netstat command:

[-n] to display addresses and port numbers in numeric form

[-a] to display all connections and listening ports 

We are going to use find command to filter out the Connections which mentions Established.

Command: netstat -na | find "ESTABLISHED"

From given below image you can observe that it shown established TCP connection through between source IP source Port and destination IP and destination Port.

Display the Routing Tables

While penetration testing a Remote PC, knowledge of Routing Tables is essential because Routing tables are used to generate the information about the routes which were chosen by the routing algorithm as preferred routes for packet forwarding and it gives info about the netmask and gateways too.

It contains the Interface List, IPv4 Route Table, Persistent Routes, IPv6 Route Table.

This can be done using netstat command

Here we are using following options with netstat command:

[-n] to display addresses and port numbers in numeric form

[-r] to display the routing table 

Command: netstat –nr

Get Executables Which Created Connections.

While penetration testing a Remote PC, knowledge of all executable involved in creating each connection, all connections and listening ports, addresses and port numbers in numerical form, owning process ID is very essential because it gives the attacker information about the connections, port numbers as well as Process ID.

This can be done using netstat command

Here we are using following options with netstat command:

[-b] to displays the executable involved in creating each connection or listening port

[-a] to display all connections and listening ports 

[-n] to display addresses and port numbers in numeric form

[-o] to display the owning process ID associated with each connection

Command: netstat –bano

From given below image you can observe that it is showing name of running service on a particular port.

Get All the Adapters

We can enumerate all the adapters connected to the victim’s system by using ipconfig command.

As the output of ipconfig command is very vast so we will use the findstr command to filter out the specific result about the adapters.

Command: ipconfig | findstr adapter

Get All the Addresses

We can enumerate all the address including IPv4 and IPv6 by using ipconfig command.

As the output of ipconfig command is very vast so we will use the findstr command to filter out the specific result about the address.

Command: ipconfig | findstr Address

Get the Basic Config Details

We can get the Basic Network Configuration on the Victim’s System and the Network in which the Victim is connected to through the ipconfig command.

[/all] is used to extract all the ipconfig information

Syntax: ipconfig /all

Victim System is connected to a Wi-Fi so it properties can be viewed below

Things to enumerate:

Adapter Name, Model, Type, MAC Address, IPv4 Address, IPv6 Address, Subnet Mask, DHCP Server, Default Gateway and much more.

Ping Sweep

Ping Sweep is a networking technique to get a range of active terminals on the network.

IP Addresses from which we get a reply are active, rest are not.

Command: for /L %i in (100,1,225) do ping 192.168.1.%i | findstr TTL

From given below image you observe the result of multiple Ping response in a network using Ping command loop.

UDP statistics

In order to obtain statistics for established UDP connection we can execute given command which describe information of UDP traffic send or received.

Command: netstat -s -p udp

[-s] denotes statics option

[-p] denotes protocols

From given below image you can observe that it showing details such as datagrams received, received error and etc.

TCP statistics

In order to obtain statistics for established TCP connection we can execute given command which describe information of TCP traffic send or received.

Command: netstat -s -p TCP

[-s] denotes statics option

[-p] denotes protocols

From given below image you can observe that it showing details such as segment received, failed attempted, Reset connection and etc.

Display Connections Sorted by Port

Options Used:

[-a]: To Display all active TCP connections and UDP ports on which

[-n]: Addresses and Port Numbers are displayed numerically

[-o]: Display Connections with process IDs

We are using findstr to sort result for 443 Ports

Command: netstat -ano | findstr 443

From given below image you can observe that it has shown TCP connection state only for port 443.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Sessions Command in Metasploit

Today we are going to learn about the session’s command of the Metasploit Framework.  Sessions command basically helps us to interact and manipulate with the various sessions created through the exploits while hacking. Sessions command is usually just used to get into the session but it is far more useful than just that. Sessions command can run a single command on multiple sessions, and also upgrade a normal shell to meterpreter.  

Requirement

Attacker: Kali Linux

Targets: Any operating system

Open kali Linux terminal and type msfconsole in order to load metasploit framework.  Now you need to compromise victim’s machine once to achieve any type of session either metrepreter or shell and to do so you can read our previous article from here.

So once you have obtained victim’s machine session you can perform many operation in victim’s system for retrieving important information.  Using help command we can check the list of options that we can use with session command.

Command: sessions –h

From given below image you can observe that it had shown many option which will be quite useful for system enumeration

Run a command in multiple sessions

We can run multiple OS arbitrary commands of on multiple meterpreter session using the sessions command.

Syntax: sessions -c [command] -i [Session id]

Command: sessions -c hostname -i 1, 2, 3

As you can see in the screenshot provided below that the hostname command ran on the sessions 1, 2 and 3 giving us Hostnames of the respectable Systems.

Sessions ID	Victim’s IP	Hostname
1	192.168.1.107	Pc21-PC
2	192.168.1.114	Pavan
3	192.168.1.113	PD-Laptop

Get Detailed Information about Sessions

Use verbose option for obtaining complete detail of session, it described the type of session achieve i.e. meterpreter or shell; inform target system hostname and etc.

Command: sessions -v

From given below image you can observe that output result using verbose option with session command.

Run a script or a module in multiple sessions

Syntax: sessions -s [script-name]

Command: sessions -s winenum

As you can see in the screenshot provided above that the winenum script ran on the sessions 4, 5 and 6 enumerating data from the respectable Systems and save the output result into text files in pavan17.1611 folder.

Explore above highlighted path ./root/.msf4/logs/scripts/winenum/pavan to obtain the output result of text file and from given below image you can observe that it showing all text files which has contain the output result of above executed command. 

From given below image you can read the information stored inside ipconfig—all.txt file for network configuration.

Assign Name to Sessions

We can name the sessions anything we want so as to differentiate between the sessions. To Name a session use the following command.

Syntax: sessions -n [Name] -i [Session ID]

Command: sessions -n Yondu -i 1

From given below image you can observe we have successfully named Session 1 as ‘Yondu’; here session ID 1 denotes yondu as session Name.

Kill a particular Session

If we want to close a particular session, we can do so using Kill option with particular session ID in the sessions command.

Syntax: sessions -k [Session ID]

Command: sessions -k 3

As you can see in the given screenshot that we have closed session 3 using the sessions command.

Kill All Session

If we want to close all the sessions, we can do so using Kill option without editing any session ID in the sessions command.

Command: sessions -K

As you can see in the given screenshot that we have closed all the sessions using the sessions command.

Upgrading a Shell to Meterpreter

Many a times while hacking through direct exploits we get to the shell of the remote system but due to such vast usability of the Meterpreter command we need to get the meterpreter shell. We can upgrade a normal shell to meterpreter shell using the sessions command

Firstly let’s gain a shell; here I am using the direct exploit as shown in the given screenshot which when executed gives us the shell of the server.

You can clearly see that we have a Linux shell at session #1. Now let’s upgrade this shell to meterpreter Shell.

Firstly press “Ctrl+z” to send this shell in the background, then use upgrade option  with session ID as shown in the following Sessions Command.

Command: sessions -u 1

As you can see in the image that the meterpreter shell is opened in the session #2.

 Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Comprehensive Guide to nmap port status

Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but in some scenarios you don’t get simple message if a port open or close.

Let’s Begin

Requirement

Attacker’s IP:  192.168.1.109 [Kali Linux]

Target’s IP: 192.168.1.119 [Ubuntu]

The states of ports are not their essential properties; it depicts how nmap sees them. In nmap a port is divided into six states:

Open:  This state means that an application on the target machine is listening for connections/packets on that port.

 Closed: This state means ports have no application listening on them, though they could open up at any time.

Filtered: This state means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. 

Unfiltered: ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed.

Open/Filtered: This indicates that the port was filtered or open but Nmap couldn't establish the state.

Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn't establish the state.

Identify Open Port state

In this case a service or application running on a port is actively accepting TCP, UDP connections. We send TCP packets to port 80 of target machine. We find that the port is open.

nmap –p80 192.168.1.119

We take a look at wireshark and find that 3 way-handshake occurs as given below.

·         Nmap sends SYN packet on port 80

·         Nmap received SYN, ACK packet as response from port 80 which denotes port 80 is open.

·         Nmap sends RST packet

Identify Closed Port state

In this case a service or application on a port is accessible but no application is running on it. When a port is in closed state it sends RST with ACK packet when it receives TCP SYN packet

Nmap -p80 192.168.1.119

Now we have used SYN scan to send TCP SYN packets on port 80 of target machine and found that the target is closed. That is because as soon as it receives TCP SYN packet it sends back TCP RST, ACK packet.

We check wireshark to find more information, as expected as soon as the target machine received TCP SYN packet it replied with TCP RST and NMAP interpreted it as port is closed.

·         Nmap sends SYN packet on port 80

·         Nmap received RST, ACK packet as response from port 80 which denotes port 80 is closed.

Identify Filtered Port state

In this case Nmap is unable to determine whether a port is open because packet filtering is preventing the packets from reaching the port. When a packet is dropped Nmap retries several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

Let’s use iptables to drop TCP packets on the target machine.

iptables –I INPUT –p tcp –j DROP

Now when we scan the target machine, the packets will be dropped as soon as it receives TCP packets.

nmap -p80 192.168.1.119              

From given below image you can observe that it is now showing state “filtered” for port 80

Let’s take a look at wireshark we find that when Nmap send TCP SYN packet we get no reply from the target machine. This means that a packet filter or firewall is dropping our packets.

Identify Unfiltered Port state

The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

We use iptables to drop any TCP packet coming to port 80 in target machine.

iptables-I INPUT -p tcp--dport=80 -j DROP

Now we use nmap ACK scan to scan the target machine to check if there is any firewall or not.

Nmap –sA -p22,80 192.168.1.119

As we can see in given below image the port without firewall shows unfiltered as Nmap is unable to determine if it is open or close.

We can see in wireshark that for port 22 we get a RST packet whereas in case of port 80 the packet is dropped by the target machine.

Identify Open|Filtered Port state

In this case nmap is unable to determine if a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

Let’s use nmap Xmas scan to scan the target machine.

nmap -sX -p80 192.168.1.119

As we can see the nmap scan shows us the port to be open| filtered.

We check wireshark to analysis the sent packets by nmap and we can see we don’t get a reply even if the port is open.

Identify Closed|Filtered Port state

This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

We use iptables on our target machine to drop incoming TCP packets on the target machine.

iptables-I INPUT -p tcp-j DROP

We IP ID idle scan on the target machine using 192.168.1.107 as our zombie.

nmap -p80 –sI 192.168.1.107 192.168.1.119

As we can see in idle scan the zombie it is showing state closed|filtered for port 80.

An idle scan consists of three steps that are repeated for each port:

1.       Probe the zombie's IP ID and record it.

2.       Forge a SYN packet from the zombie and send it to the desired port on the target. Depending on the port state, the target's reaction may or may not cause the zombie's IP ID to be incremented.

3.       Probe the zombie's IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.

We check Wireshark and find that find the entire process.

Source: https://nmap.org/book/man.html