nmap scan shows ports are filtered but nessus scan shows no result
I'm performing an port scanning on a range of IPs on our remote site. I tried running nmap scan on that IP range and some of the IP result are shown as filtered
When I perform a nessus scan on the box, there is no result at all for some of the IPs.
As such is it safe to assume that there is no open ports on some of the remote server?
Unless you've got nmap configured not to perform host discovery (
-PN --send-ipon the LAN), if it is indicating that all ports are filtered, then the host is up, but the firewall on that host is dropping traffic to all the scanned ports.
Note that a default nmap scan does not probe all ports. It only scans 1000 TCP ports. If you want to check for any services, you'll want to check all 65535 TCP ports and all 65535 UDP ports.
Also, to be precise, but when the port scan says a port is filtered, that doesn't mean that there is no service running on that port. It's possible that the host's firewall has rules that are denying access to the IP from which you're running the scan, but there may be other IPs which are allowed to access that service.
If the port scan reports that a port is closed, that's more definitive that there's no service listening on that port.
I can't comment on the lack of results from nessus, it's been a while since I've used it.
Example of closed vs. filtered vs. host-down
E.g., on my network, this host is up, has no services running, and does not have a firewall, note that the ports are reported as closed (this means the host responded to probes on that port):
% sudo nmap -T4 -n 192.168.1.24 Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:20 EST All 1000 scanned ports on 192.168.1.24 are closed MAC Address: 00:0E:00:AB:CD:EF (Unknown) Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds
This host is up, has no services running on ports 100-1000, and has a firewall. Note that the ports are reported as filtered (this means that the host dropped probes to those ports):
% sudo nmap -T4 -n -p 100-1000 192.168.1.45 Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:24 EST All 901 scanned ports on 192.168.1.45 are filtered MAC Address: 00:12:34:AA:BB:CC (Unknown) Nmap done: 1 IP address (1 host up) scanned in 20.03 seconds
Just for illustration, I punched a temporary hole in the firewall for that last host for port 443 and reran the scan. (There's nothing running on 443 there.) Notice how 998 ports are reported filtered, but port 443 is reported as closed; the firewall is allowing 443 through, and the OS responds with an RST.
% sudo nmap -T4 -n 192.168.1.45 Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:43 EST Interesting ports on 192.168.1.45: Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 443/tcp closed https MAC Address: 00:12:34:AA:BB:CC (Unknown) Nmap done: 1 IP address (1 host up) scanned in 5.67 seconds
There is no host at this address (host down):
% sudo nmap -T4 -n 192.168.1.199 Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:26 EST Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 0.56 seconds
if I rescan with
-PN --send-ip(the latter is needed because I'm scanning the LAN, and I don't want to use ARP probes), I see:
% sudo nmap -T4 -n -PN --send-ip 192.168.1.199 Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:29 EST All 1000 scanned ports on 192.168.1.199 are filtered Nmap done: 1 IP address (1 host up) scanned in 101.44 seconds