Nmap is a security scanner originally written by Fyodor Vaskovich used to discover hosts and services on a computer network, creating a map of the network.
To achieve its goal, Nmap sends specially formatted packages to the target host and then analyzes the responses.
Although Nmap functions have increased in number over time, it has started as an efficient port scanner and remains this at its core. The simple nmap <target> command scans more than 1660 TCP ports of the target IP, a more advanced nmap command can scan up to 65535 ports.
While many traditional port scanners catalog ports open and closed, Nmap is much more advanced.
It splits the ports in six states: open, closed, filtered, unfiltered, open | filtered, or closed | filtered.
1. Open
An application actively accepts TCP connections or UDP packages on that port. Finding these is often the primary purpose of port scanning. Security people know that each open port is a way to access an attack.
Attackers and pen-testers want open ports to be exploited, while administrators try to shut them down or protect them through firewalls without interfering with legitimate users’ plans. Open ports are also interesting for non-security scanning because they show the network services available from that host.
2. Closed
A closed port is accessible as it receives and responds to a sample pack sent by Nmap, but there is no application to listen to it. They can be useful in uncovering the host state or as part of operating system detection. Because with closed ports it can be communicated, they are worth scanning later in case any of them opens. Administrators may consider blocking such ports with a firewall.
3. Filtered
Nmap cannot determine whether the port is open due to a packet filter that prevents packages from reaching the destination port. Filtering can come from a dedicated firewall, a router’s rules, or a target software firewall. These ports frustrate attackers because they provide very little information.
4. Unfiltered
The unfiltered state means that the port is accessible, but Nmap can not determine whether the port is closed or open. Only the ACK scan, used to map firewall rules, classifies the port in this state. Scanning non-filtered ports with other types of options such as Window Scanning, SYN scanning, or FIN scan can determine whether the port is open.
5. Open | Filtered
Nmap places ports in this category when it can not determine whether the port is open or filtered. These occur for types of scans in which open ports do not respond. Lack of response may also mean that a packet filter has ignored the sample packet or any corresponding response. So Nmap cannot be sure if the port is open or filtered. UDP, IP, FIN, Null or Xmas scans the ports in this state.
6. Closed | Filtered
This state is used when Nmap is unable to determine whether the port is closed or filtered. It is only used by Idle IPID scanning. It has about 15 different scanning methods, 20 different options that can be used for scanning, and the result can be presented in at least 4 different ways.