Nmap Scanning Results

Last Updated : 26 May, 2026

Nmap scan results reveal active hosts, port states, running services and service versions on a target system. Security professionals use this information to identify exposed services, analyze the attack surface and assess potential security risks during network reconnaissance and penetration testing.

Nmap scan results help to:

  • Identify open, closed and filtered ports
  • Detect running services and software versions
  • Discover exposed or outdated services
  • Gather OS and device information
  • Support security assessments and network auditing

Example: Nmap scan output for IP 203.115.7.170

Here is the basic structure of Nmap results when you enter the IP address (203.115.7.170)

Starting Nmap 7.80 ( https://nmap.org ) at 2025-08-02 15:08 IST
Nmap scan report for 203.115.7.170
Host is up (0.095s latency).
Not shown: 995 closed ports
PORT       STATE    SERVICE    VERSION
23/tcp     open     telnet     Cisco IOS telnetd
1720/tcp   filtered h323q931
2000/tcp   filtered cisco-sccp
5060/tcp   filtered sip
5061/tcp   filtered sip-tls
Service Info: OS: IOS; Device: switch; CPE: cpe:/o:cisco:ios

Nmap Port States

Nmap Port States describe the accessibility and status of network ports during a scan. Nmap classifies ports into six main states:

scanned_port

1. Open

A port is marked as open when a service is actively listening and accepting connections on it, such as SSH, HTTP or FTP. While necessary for normal operations, open ports can also increase the attack surface if not properly secured.

  • A service is actively running and listening
  • Accepts incoming network connections
  • Represents a potential entry point if exposed

Syntax:

nmap -p 22 <target IP>

Example:

nmap -p 23 159.168........
1

2. Closed

A port is marked as closed when the host is reachable, but no application is listening on that port. It indicates the system is online and responding, even though the service is not running.

  • No service is running on the port
  • Host is reachable and responding
  • Useful for basic network reconnaissance

Syntax:

nmap -p 23 <target IP>

Example:

nmap -p 23 159.168........
2

3. Filtered

A port is marked as filtered when Nmap cannot determine whether it is open or closed because a firewall or security device blocks the probe. This usually indicates that the target system is protected against reconnaissance attempts.

  • No response or only error messages are received
  • Common in secured or hardened environments
  • Helps reduce exposure to unauthorized scanning and attacks

Syntax:

nmap -Pn -p 22 <target IP>

Example:

nmap -Pn -p 22 192.168.1.1
3

4. Unfiltered

A port is marked as unfiltered when it is reachable and not blocked by a firewall, but Nmap cannot determine whether it is open or closed. This is commonly observed during ACK scans, where the firewall allows packets but does not reveal the port state.

  • Port is reachable but state is unclear
  • Often seen in TCP ACK scans (-sA)
  • Indicates firewall is not blocking the probe

Syntax:

nmap -sA -Pn -p 80 <target IP>

Example:

nmap -sA -Pn -p 80 159.168.1.10
4

5. Open|Filtered

When Nmap reports a port as open|filtered, it means the port is either open or being blocked by a firewall, but its exact state cannot be determined. This is commonly seen during UDP scans where responses are not always returned.

  • State is ambiguous (open or filtered)
  • Common in UDP scans (-sU)
  • No clear response from the target

Syntax:

sudo nmap -sU -p 161 <target IP>

Example:

sudo nmap -sU -p 161 192.161.1.1
5

6. Closed|Filtered

When Nmap reports a port as closed|filtered, it means it cannot determine whether the port is closed or being filtered by a firewall. This state is uncommon and typically appears in special scan types like IP protocol scans.

  • Port state is uncertain (closed or filtered)
  • Rare and seen in specialized scans (-sO)
  • No definitive response from the target

Syntax:

sudo nmap -sO -p 1 <target IP>

Example:

sudo nmap -sO -p 1 44.228.249.3

Port State Summary Table

Here is a brief summary table of Nmap port states and their meanings for easier understanding.

StateMeaningImplication
openAccepts connectionsService actively running
closedReachable, no service listeningHost is up, but port not in use
filteredStatus unknownFirewall or device blocking probes
unfilteredReachable, status unclearAccessible but open/closed unknown
open|filteredOpen or filteredCannot determine exact state
closed|filteredClosed or filteredCannot determine exact state

Advanced Scan Port Commands in Nmap

Here are some basic Nmap port commands to help you quickly understand and use port scanning options effectively:

1. TCP SYN Stealth Scan

A TCP SYN stealth scan is one of the most commonly used Nmap scan types for fast and efficient port discovery. It is called a “half-open” scan because it sends a SYN packet but does not complete the full TCP handshake, helping reduce detection.

  • Performs a half-open TCP connection (does not complete handshake)
  • Faster and more stealthy than full TCP connect scans
  • Requires root/administrator privileges

Example:

sudo nmap -sS -Pn 103.16.155.26
7

2. Scan a range of ports

Scanning a range of ports means checking multiple consecutive ports (e.g., 1 to 1000) on a target system to find which ones are open, closed or filtered. This is useful to discover running services that may not use standard ports.

Example:

sudo nmap -sS -Pn 1-1000 10.143.85.1
8

3. Scan all ports (1 to 65535)

Scanning all ports helps identify hidden or non-standard services and detect weak firewall configurations. It is commonly used in deep vulnerability assessments and penetration testing to uncover the full attack surface.

Example:

nmap -p- 10.143.85.1

4. UDP port scan

A UDP port scan identifies open UDP ports (1–65535) on a target system that may be running services such as DNS or DHCP. Since UDP is connectionless, results are slower and less reliable compared to TCP scans.

  • Scans UDP services like DNS, DHCP and SNMP
  • Slower and less reliable due to no connection handshake
  • Useful for identifying non-TCP-based services

Example (UDP-only scan):

sudo nmap -sU -p 53,67,68,161 10.143.85.102

Example (TCP + UDP combined scan):

sudo nmap -sS -sU -p T:22,80,443,U:53,161 10.143.85.102
  • -sS = TCP SYN scan
  • -sU = UDP scan
  • T: = TCP ports
  • U: = UDP ports
9

5. Scan multiple IPs or subnets

Scanning multiple IPs or subnets helps identify vulnerabilities, detect running services and audit firewall configurations across several hosts. Nmap supports scanning individual IPs, IP ranges and entire subnets in a single command.

Example:

 nmap 10.143.85.102 220.247.220.225 203.115.7.170
10

6. Aggressive scan with version & OS detection

An Aggressive Scan in Nmap enables a set of features that gather detailed information about a target system. It’s triggered using the -A option and combines several scan types into one command.

  • OS Detection (-O)
  • Version Detection (-sV)
  • Script Scanning (-sC)
  • Traceroute

Example:

nmap -A 203.115.7.170
11
Comment
Article Tags:
Ethical Hacking
Cyber Security

Explore