nmap scan shows ports are filtered but nessus scan shows no result

  • I'm performing an port scanning on a range of IPs on our remote site. I tried running nmap scan on that IP range and some of the IP result are shown as filtered

    When I perform a nessus scan on the box, there is no result at all for some of the IPs.

    As such is it safe to assume that there is no open ports on some of the remote server?

  • bstpierre

    bstpierre Correct answer

    10 years ago

    Unless you've got nmap configured not to perform host discovery (-PN or -PN --send-ip on the LAN), if it is indicating that all ports are filtered, then the host is up, but the firewall on that host is dropping traffic to all the scanned ports.

    Note that a default nmap scan does not probe all ports. It only scans 1000 TCP ports. If you want to check for any services, you'll want to check all 65535 TCP ports and all 65535 UDP ports.

    Also, to be precise, but when the port scan says a port is filtered, that doesn't mean that there is no service running on that port. It's possible that the host's firewall has rules that are denying access to the IP from which you're running the scan, but there may be other IPs which are allowed to access that service.

    If the port scan reports that a port is closed, that's more definitive that there's no service listening on that port.

    I can't comment on the lack of results from nessus, it's been a while since I've used it.

    Example of closed vs. filtered vs. host-down

    E.g., on my network, this host is up, has no services running, and does not have a firewall, note that the ports are reported as closed (this means the host responded to probes on that port):

    % sudo nmap -T4 -n 192.168.1.24
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:20 EST
    All 1000 scanned ports on 192.168.1.24 are closed
    MAC Address: 00:0E:00:AB:CD:EF (Unknown)
    
    Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds
    

    This host is up, has no services running on ports 100-1000, and has a firewall. Note that the ports are reported as filtered (this means that the host dropped probes to those ports):

    % sudo nmap -T4 -n -p 100-1000 192.168.1.45
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:24 EST
    All 901 scanned ports on 192.168.1.45 are filtered
    MAC Address: 00:12:34:AA:BB:CC (Unknown)
    
    Nmap done: 1 IP address (1 host up) scanned in 20.03 seconds
    

    Just for illustration, I punched a temporary hole in the firewall for that last host for port 443 and reran the scan. (There's nothing running on 443 there.) Notice how 998 ports are reported filtered, but port 443 is reported as closed; the firewall is allowing 443 through, and the OS responds with an RST.

    % sudo nmap -T4 -n 192.168.1.45
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:43 EST
    Interesting ports on 192.168.1.45:
    Not shown: 998 filtered ports
    PORT    STATE  SERVICE
    22/tcp  open   ssh
    443/tcp closed https
    MAC Address: 00:12:34:AA:BB:CC (Unknown)
    
    Nmap done: 1 IP address (1 host up) scanned in 5.67 seconds
    

    There is no host at this address (host down):

    % sudo nmap -T4 -n 192.168.1.199
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:26 EST
    Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
    Nmap done: 1 IP address (0 hosts up) scanned in 0.56 seconds
    

    if I rescan with -PN --send-ip (the latter is needed because I'm scanning the LAN, and I don't want to use ARP probes), I see:

    % sudo nmap -T4 -n -PN --send-ip 192.168.1.199 
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:29 EST
    All 1000 scanned ports on 192.168.1.199 are filtered
    
    Nmap done: 1 IP address (1 host up) scanned in 101.44 seconds
    

    Hi, thanks for the detail explanations. Oddly enough, when I re-run nessus scan on the IP range, some of the IP now has results and shows as having 0 ports open.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM