Home / server / Questions / 648163
Accepted
philippe
Asked: 2014-12-02 00:17:52 +0800 CST

nmap: why is it scanning port 80 with TCP ACK and not SYN?

  • 772

While reading nmap man pages, I read for the -sn option:

The default host discovery done with -sn consists of an ICMP echo request,
TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request
by default.

I don't understand well the purpose of performing a TCP ACK on port 80. Since the TCP stack of the targeted server would not process any SYN, it would just drop the received ACK packet, not providing any information to nmap.

For instance, on my private server, it replies to ICMP echo request by a ICMP echo reply, and to TCP SYN port 443 by a TCP SYN-ACK. But no answer are provided with a TCP ACK on port 80.

Many thanks for your lights on the mater

linux-networking

1 Answers

  1. Best Answer

    Except when a stateful firewall is in use, ACK probes should elicit a RST packet from both closed and open ports. From Nmap's documentation on the -PA option:

    The reason for offering both SYN and ACK ping probes is to maximize the chances of bypassing firewalls. Many administrators configure routers and other simple firewalls to block incoming SYN packets except for those destined for public services like the company web site or mail server. [...] When stateless firewall rules such as this are in place, SYN ping probes (-PS) are likely to be blocked when sent to closed target ports. In such cases, the ACK probe shines as it cuts right through these rules.

    • 2