How to discover open ports?

Hello,
In a local network, a device like the FortiGate existed and clients connecting to it for use the Internet. The traceroute output is:

$ sudo traceroute -4 google.com -I
traceroute to google.com (216.239.38.120), 30 hops max, 60 byte packets
1  192.168.1.1 (192.168.1.1)  3.090 ms  3.412 ms  3.720 ms
2  two.two.two.two (2.0.0.2)  0.692 ms  0.796 ms  0.904 ms
3  192.168.1.200 (192.168.1.200)  0.202 ms  0.181 ms  0.169 ms
...
16  any-in-2678.1e100.net (216.239.38.120)  33.692 ms  33.689 ms  33.685 ms

I scanned 192.168.1.200 IP address with the Nmap, but it couldn’t detect any open ports. How can I find the port that packets pass through it?

Thank you.

Different types of scans can be performed:

To scan using TCP connect (it takes longer, but is more likely to connect):

nmap –sT 192.168.0.1

To perform the default SYN scan (it tests by performing only half of the TCP handshake):

nmap –sS 192.168.0.1

To instruct Nmap to scan UDP ports instead of TCP ports (the –p switch specifies ports 80, 130, and 255 in this example):

nmap –sU –p 80,130,255 192.168.0.1

Or try download angry ip scanner that is nmap with web-gui

Thanks.
I did following Nmap parameters:

$ sudo nmap -sU -p 80,443 192.168.1.200
Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-18 13:35 +0330
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.15 seconds
$
$ sudo nmap -Pn 192.168.1.200
Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-18 13:33 +0330
Nmap scan report for 192.168.1.200
Host is up (0.00016s latency).
Not shown: 999 filtered ports
PORT    STATE  SERVICE
113/tcp closed ident

Nmap done: 1 IP address (1 host up) scanned in 11.52 seconds
$
$ sudo nmap -Pn -p 80,443,8080 192.168.1.200
Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-18 13:39 +0330
Nmap scan report for 192.168.1.200
Host is up.

PORT     STATE    SERVICE
80/tcp   filtered http
443/tcp  filtered https
8080/tcp filtered http-proxy

Nmap done: 1 IP address (1 host up) scanned in 3.13 seconds

As you, it couldn’t detect any open port. How a hacker finds open ports?

You did it correctly. The host you’re scanning doesn’t have any open ports in that range.

Hello,
So, what is the solution?

solution is that host havent any open ports

Hello,
As I said, that device is a gateway (FortiGate) that clients connecting to it for use the Internet, then how it hasn’t any open port?

No idea?
How clients using a device to connect to the Internet, then that device doesn’t have any open port?

There are ports that are filtered there, this could indicate something like an IP address whitelist, where in order to connect, you have to have a certain IP address, maybe a VPN appliance or something.

Hello,
I’m a part of this network.

Fortigate is a Firewall device with different technics to prevent from port scanning. You can see that your first scan failed because ICMP is blocked on devices like this.
It also filtered your other scans. This could be caused by a Policy or IDS/IPS.

This does not mean there are no open ports, you just can not scan for them.

Hello,
Thank you so much for your reply.
In this situation, how does a hacker find the open ports?

Web Application Firewalls commonly only allow certain traffic to certain websites with certain applications. My suggestion would be to use Google to find something along the lines of “bypass WAF scan” or maybe even read NMAP’s man page.

image855×802 83.4 KB

Good read man, thank you.

This topic was automatically closed after 121 days. New replies are no longer allowed.