Hi Ron,
Following responses to your questions based on my research.
What is the difference between a "port that responds" vs "open"?
Port that responds doesn't mean the port is open. There are couple of scanning involved (Port scanner - Wikipedia ) that allow the sensor detect which port is respond but not open.
When using telnet to test ports, if it is successful, is telnet telling me the port is responding, is open, or both?
Success telnet means the port is responding and open.
Why do I sometimes see port 135 not attempted in my shazzam input payload?
I suspect the "Port Probe" for wmi is not active causing the issue. Make sure the "wmi" (screenshot attached: bottom in the list) is active.
Regards,
Kar Meng
Ron,
To add to Kar's excellent response Ive always found it easy to think of active and alive as this...
If I see one of our classification ports in a state of OPEN then we consider that IP to be Active, we can actively attempt to continue the conversation.. These ports are outlined by the triggers probe value.. its how we move on from a port being checked..
Now if we find these or ANY other ports checked and they gave us a response 'other' than open then we can consider them 'alive', there is something there but we cant talk to it. Friends here will hear a familiar line here.. think of walking upto a house and checking to see if a door with the label 'port 22' is open. If it opens, great, Im 'Actively' going to try and discover it. If I turn that door handle and a grumpy old man yells from behind ..."get off my lawn!" , well we are being 'refused' in the response so someone is there, its 'Alive', but we aren't invited back ...
We have the 'include Alive' check box because years ago we had (and still have ) friends at a major healthcare business that had to deal with a lot of vendor equipment, they didn't want to deal with the errors of trying to talk to equipment that didn't want to talk to them. Big MRI machines, test tube spinners that kinda thing. So by having this opt-out of devices that were responsive but out of their control , allowed them to better refine their troubleshooting efforts to devices they actually cared about..
And lastly what if no port responds at all? Well then you see nothing. We know when something is open, we know when it tells us to go away, but if that door just doesnt exist in the first place? Well, we got nothing to say about its status. the line will be empty. So if you scan an IP and checking our classification port of 135 as you ask and there is NO response well there was nothing there. You would check your parameters in the payload to double check that you are trying that port, but if an IP says nothing? Well look to FW rules to ensure the midserver has full TCP access to the host.
Hope this helps and again, paired with Kar's excellent response you should be right, let us know...
