nerdexam
EC-Council

312-50V10 · Question #549

During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of

The correct answer is C. Stateless. When an NMAP ACK scan returns a port as 'unfiltered,' it means the firewall passed the ACK packet without dropping it, which is characteristic of a stateless firewall that cannot distinguish between legitimate ACK replies and unsolicited ACK probes.

Evading IDS, Firewalls, and Honeypots

Question

During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting?

Options

  • AHost
  • BStateful
  • CStateless
  • DApplication

How the community answered

(30 responses)
  • A
    13% (4)
  • B
    3% (1)
  • C
    80% (24)
  • D
    3% (1)

Why each option

When an NMAP ACK scan returns a port as 'unfiltered,' it means the firewall passed the ACK packet without dropping it, which is characteristic of a stateless firewall that cannot distinguish between legitimate ACK replies and unsolicited ACK probes.

AHost

Host-based inspection refers to security controls running on the endpoint itself, not a network firewall characteristic revealed by an ACK scan response.

BStateful

A stateful firewall maintains a session table and would drop an unexpected ACK packet with no matching connection entry, which would cause NMAP to report the port as 'filtered,' not 'unfiltered.'

CStatelessCorrect

A stateless firewall inspects each packet in isolation without maintaining a connection state table. Because it cannot verify whether an ACK packet corresponds to a previously seen SYN, it passes the packet through if the rule permits port 80 - resulting in NMAP reporting the port as 'unfiltered.' A stateful firewall would have dropped this unsolicited ACK as it would find no matching session entry.

DApplication

Application-layer inspection examines payload content at Layer 7 and would also maintain state awareness, making it capable of dropping the spoofed ACK probe.

Concept tested: Stateless vs stateful firewall ACK scan detection

Source: https://nmap.org/book/scan-methods-ack-scan.html

Topics

#ACK scan#stateless inspection#NMAP#firewall analysis

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice