312-50V10 · Question #549
During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of
The correct answer is C. Stateless. When an NMAP ACK scan returns a port as 'unfiltered,' it means the firewall passed the ACK packet without dropping it, which is characteristic of a stateless firewall that cannot distinguish between legitimate ACK replies and unsolicited ACK probes.
Question
During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting?
Options
- AHost
- BStateful
- CStateless
- DApplication
How the community answered
(30 responses)- A13% (4)
- B3% (1)
- C80% (24)
- D3% (1)
Why each option
When an NMAP ACK scan returns a port as 'unfiltered,' it means the firewall passed the ACK packet without dropping it, which is characteristic of a stateless firewall that cannot distinguish between legitimate ACK replies and unsolicited ACK probes.
Host-based inspection refers to security controls running on the endpoint itself, not a network firewall characteristic revealed by an ACK scan response.
A stateful firewall maintains a session table and would drop an unexpected ACK packet with no matching connection entry, which would cause NMAP to report the port as 'filtered,' not 'unfiltered.'
A stateless firewall inspects each packet in isolation without maintaining a connection state table. Because it cannot verify whether an ACK packet corresponds to a previously seen SYN, it passes the packet through if the rule permits port 80 - resulting in NMAP reporting the port as 'unfiltered.' A stateful firewall would have dropped this unsolicited ACK as it would find no matching session entry.
Application-layer inspection examines payload content at Layer 7 and would also maintain state awareness, making it capable of dropping the spoofed ACK probe.
Concept tested: Stateless vs stateful firewall ACK scan detection
Source: https://nmap.org/book/scan-methods-ack-scan.html
Topics
Community Discussion
No community discussion yet for this question.