Hi forum

I'm currently studying scanning techniques and information gathering in a pen testing course, and I have some few questions, you might be asking yourself why this noob "me " isn't asking those questions to the leaders or the staff of that course he joined!!.. lets just say BECAUSE THIS FORUM ROCKS!!

moving on am actually trying to be more comfortable with scanning techniques before moving to the next level when it comes to pen testing,my questions are basic and could sound stupid, well what to say I'm just a beginner.
 
So I've connected two computers which I own to my LAN, started to scan host B, using host A, tool used:NMAP, few ports showed up after scanning host B, even tho my firewall is on, on host B.

The ports showed up are the most common ports, like FTP, SSH, HTTP...etc
Now I know what is the difference between open/close ports;

-close port means that the port is accessible, and it reacts with the packets sent threw the bus using host A, but the service on that port is not listening.

-open port simply means that the service on that port is currently listening, port is accessible

my question regarding the above topics:

1- when a port return open on the scanning tool, and knowing that the port is listening, does that means that the port is not protected by a firewall? Normally after scanning a port, with the result of "filtered" we could guess that there is a firewall behind it to protect it, so if the port is open does that mean that is it unsecured? and that it could be accessed easily? leading to high risks attacks!

2- what is the difference between a port listening to a service, and a port not listening to a service? I'll give you an example to simplify my question, I happen to own a website, I use FTP to transfer all my files from my PC to the website and vice-verse, I scanned my website IP just to study how the ports react, the FTP port 21 always appear to be "open port", i though that if i only connect to my website threw FTP then the port 21 will be open because at that time it is listening to the service "FTP", and once I disconnect the session between me and the website the port will appear as "close port", but the facts shows that the port 21 is always open on my web??!! Before you say "GOOGLE THAT YOU NOOB", I already did that, and would also like to hear some clarification from experts in this forum "which i respect a lot".

sorry if my questions were kinda messy.

Regards,    

question to number 1. Maybe yes, maybe no. It just means that when you sent a syn to the port, it responded.

number 2, even after you disconnect from FTP, if you did another scan, the port will still be open, it is only your session that closed.

An open port means means that the service is listening. Which is really just a fancy way of saying the service is running / turned on. If it is closed then the service is turned of.

Not trying to sound condescending, but think of services like porch lights on Halloween. Where I live that means that the person that lives there is giving out candy. If you knock on the door, which the person is listening at, he opens you authenticate by saying trick or treat, and he gives you a bit of candy.

If the light is off, all the knocking in the world won't open the door if the person is not.

BillV, chrisj, 3xban.. thanks all for your help  , there is one more question, if there are 4 devices in a LAN, say 3 workstations, and 1 router, the router will hold the public ip address (NATing), if I scan that public ip.. like: nmap [public ip], what is it scanning here? the router? like the results will be the ports opened/closed only on the router? i mean how is it possible that ip scanners find hosts with open ports when only the router holds the public ip?

Thanks again

lol sorted it out already thx tho , any help on my last question would be great bro  

It might help to simplify things: what is a router and what is its function?
If you are scanning the public IP Address of the router and you get a response that there are open ports, is it possible that the router is running that particular service?
Hint: Check out NAT and PAT 

So you typical Linksys "firewall" and I use the term very losely based on this fact, they only do port forwarding.  Meaning I have a device on my home/private LAN that I want to access from outside through some method (i.e. SSH or FTP).  So on my firewall I would create a rule to allow these services to be accessed from the internet.  It would be an incoming rule and would look something like this:
Rough translation.  Now your Linksys Router/firewall is really more of a router than a firewall.  It does not provide statefull packet inspection as well as a number of other services your business class firewall will provide.  It simply routes traffic based on the rules you give it.  The last rule int he list is the cleanup rule.  Most home routers will probably not have the rule.  But that is out-of-scope of this discussion.

So your firewall may not have any rules allowing access to it, but will have rules to allow access to internal resources.

I should of explained the rules.

First rule, I allow ANY outside IP to connect to SSH(TCP/22) on an internal server at address 192.168.0.100. Scan would show the port as open.

2nd rule, I allow Google's DNS server to send DNS traffic to my internal server 192.168.0.101, this could be my company's own DNS server.  You see that if you have a large web presence that is hosted internally, possibly on a DMZ.  The rules would be similar if this was a DMZ.  Any other outside IP would get rejected and any scan would show the port as filtered.

3 rule is cleanup, if the incoming traffic doesn't match any of the rules before it, it is dropped all together.  In most cases, you may not need the rule if you only specified separate allow rules.  The cleanup rule is mostly used for egress filtering.  So you would have some allow rules for outgoing SMTP, FTP, SSH, HTTP/HTTPS and whatever other protocols you want to allow out.  Then you put the cleanup DENY ALL rule at the end.  This could protect you from compromised systems sending data out through odd ball ports like 1022 or 69000.  Granted they could still try to send out through your allowed outgoing ports but if you lock those down to only sending data out to specific internet hosts, then that will help as well.

That is a beautiful analogy :-) Thanks!