An Nmap ACK scan (-sA) is actually a stealthy way to map firewall rulesets by seeing which TCP ACK packets get through to your target.
Let’s see it in action. Imagine you have a server at 192.168.1.100 and you want to know if a firewall is blocking inbound traffic to port 80.
nmap -sA -p 80 192.168.1.100
If the firewall is not blocking port 80, you might see output like this:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:00 PDT
Nmap scan report for 192.168.1.100
Host is up (0.00030s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
The key here is STATE: open. This means the ACK packet sent by Nmap to port 80 received a RST/ACK response (or no response at all, which Nmap interprets as filtered if it’s sending to a closed port). This indicates the packet reached the host and the host’s TCP/IP stack processed it. If it reached the host, it means whatever is between you and the host (likely a firewall) allowed that ACK packet through.
Now, if a firewall is blocking port 80, you’ll likely see this:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:05 PDT
Nmap scan report for 192.168.1.100
Host is up (0.00032s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
The STATE: filtered is the crucial indicator. It means Nmap sent an ACK packet to port 80, but it never received a response. This silence implies that a firewall or network device intercepted the packet and dropped it, preventing it from reaching the target host. The firewall itself is filtering the traffic.
The fundamental problem an ACK scan solves is distinguishing between "port is closed" and "port is filtered." A regular TCP SYN scan (-sS) sends a SYN packet and expects a RST if the port is closed, or a SYN/ACK if it’s open. If it gets no response, it’s often ambiguous – is the port filtered, or is the host down? An ACK scan, by sending an ACK packet (which is not a request to initiate a connection), is designed to elicit a RST from a closed port. If it gets a RST, the port is considered open (meaning the ACK packet arrived and was processed). If it gets no response, the port is filtered. This distinction is vital for understanding firewall behavior.
When you run nmap -sA <target>, Nmap crafts raw TCP packets with the ACK flag set. It then sends these packets to the specified ports on the target host. The behavior of the target host and any intervening firewalls dictates the response:
- ACK packet reaches an open port: The target’s TCP/IP stack receives the ACK. Since it’s not part of an established connection, it will respond with a RST packet. Nmap sees the RST and reports the port as
open. This is counterintuitive; an "open" state in an ACK scan doesn’t mean a service is listening, but that the ACK packet was allowed to the port and processed by the host. - ACK packet reaches a closed port: The target’s TCP/IP stack receives the ACK. It knows the port is closed and responds with a RST packet. Nmap sees the RST and reports the port as
open(same logic as above – the ACK got through). - ACK packet is blocked by a firewall: The firewall intercepts the ACK packet before it reaches the target host. The firewall drops the packet. No RST is sent back to Nmap. Nmap receives no response and reports the port as
filtered. This is the primary use case for mapping firewall rules. - ACK packet is blocked by the host itself (less common for ACK): In some strict configurations, the host might drop unsolicited ACK packets. This would also result in no response and be reported as
filtered.
The STATE column in Nmap’s output is critical here. For an ACK scan:
open: The ACK packet was received by the target host, and a RST packet was sent back. This means no firewall blocked the ACK packet on its way to the port.filtered: No response was received. This strongly suggests a firewall or other network device dropped the packet.
To effectively use ACK scans, you typically combine them with other scan types. For instance, you might first run a SYN scan (-sS) to identify open ports, and then an ACK scan (-sA) to see if those open ports are reachable through a firewall. You can also scan a range of ports to build a map of the firewall’s ruleset.
# Scan common ports and map firewall for a single host
nmap -sS -sA -p 1-1000 192.168.1.100
# Scan a subnet for firewall filtering on a specific port
nmap -sA -p 22 192.168.1.0/24
When performing an ACK scan, Nmap sends ACK packets with a source port chosen randomly from the user-privileged ports (1024-5000). This randomness helps evade simple stateful firewall rules that might track connection attempts based on source port. The destination port is scanned as specified. The crucial aspect is that the ACK flag is set, and all other flags are typically cleared, making it appear as a fragment of an existing connection or a general probe rather than a new connection attempt.
The most subtle aspect of an ACK scan’s effectiveness lies in how firewalls manage state. Most modern firewalls are stateful; they track established connections. An ACK packet, by itself, doesn’t look like the start of a new connection (that would be a SYN packet). If a firewall is configured to only allow SYN packets for new connections and drop everything else, an ACK scan can often bypass these rules, revealing the underlying host’s accessibility. However, if a firewall is extremely aggressive and drops all unsolicited TCP packets to a port, even ACKs, the scan will report filtered. This is how you can differentiate between a firewall that’s simply blocking new connections vs. one that’s actively blocking all inbound traffic to certain ports.
The next step after understanding firewall rules with an ACK scan is often to perform a TCP NULL scan (-sN) or FIN scan (-sF) to further probe for open vs. closed ports when a firewall is present, as these scans also leverage specific TCP flag combinations that some firewalls might handle differently.