ACK-scan unfiltered ports

Question

I'm currently studying a peneteration/hacking course. I am trying to use nmap against a target to find all the ports that are filtered.

I thought if I used an ACK-scan nmap would give me all the filtered ports. I used nmap -sA -p- target. And the result was "All the 65535 ports scanned are unfiltered" is this even reasonable? What other scans can I use to complement my first scan?

Answer 1

According to the man page, -sA (TCP ACK scan) is used to map firewall rulesets. A conformant TCP stack will respond to an unsolicited ACK with a RST, regardless of whether there is a listening service. But firewalls are frequently configured to drop all traffic to blocked ports or to respond with ICMP error messages. By looking for these different responses, Nmap tries to distinguish filtered (firewalled) from unfiltered ports.

It's entirely reasonable that all ports are unfiltered; that would just mean that either there is no firewall, or the firewall is configured to respond to unsolicited ACK packets with RST packets.