I normaly use nmap or just telnet to look for open ports on Windows machines.
I work in a consulting company and we want to discover not only open ports on a machine but ports that can be opened.
For instance, if I want to install a database for a customer that listens at 1521. 1521 is not open before I install the database but I want to know if it can be opened or it's blocked (eg. by a firewall), so I ask the customer to open it in advance.
Is there any tool or elegant way to do that?
Thank you Best regards
Nmap can give you this information. The distinction between "open," "can be opened," and "firewalled" is shown in Nmap's output as open, closed, and filtered. For instance:
$ sudo nmap scanme.nmap.org Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-01 13:02 CDT Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.080s latency). Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 9929/tcp open nping-echo Nmap done: 1 IP address (1 host up) scanned in 6.39 seconds
This shows that scanme.nmap.org has TCP ports 22, 80, and 9929 open. My ISP is blocking outbound ports 25, 135, 139, and 445 to prevent spam and Windows worms (and to force me to pay for business-class service if I want to run a mail server). Everything else could be opened at some point (Not shown: 993 closed ports).
You can further enumerate firewall rules with other scan types (-sA will label ports as unfiltered or filtered) or scripts (firewalk will show which ports are being blocked at which IP hop along your path).
Note that sometimes a firewall will spoof a reply from the target which results in a closed verdict. In this case, you can sometimes see a difference in the response TTL values (available in Nmap's XML output, and in future releases in its text output with the --reason option); a higher TTL in a closed response means it is coming from a firewall that is closer to you than the target.