312-50V11 · Question #343
A security engineer is attempting to map a company's internal network. The engineer enters in the following NMAP command: NMAP -n -sS -P0 -p 80 ... What type of scan is this?
The correct answer is C. Stealth scan. The -sS flag in Nmap performs a TCP SYN stealth scan, which never completes the three-way handshake, reducing the likelihood of detection in application logs.
Question
A security engineer is attempting to map a company's internal network. The engineer enters in the following NMAP command:
NMAP -n -sS -P0 -p 80 ... What type of scan is this?
Options
- AQuick scan
- BIntense scan
- CStealth scan
- DComprehensive scan
How the community answered
(34 responses)- A6% (2)
- B3% (1)
- C91% (31)
Why each option
The -sS flag in Nmap performs a TCP SYN stealth scan, which never completes the three-way handshake, reducing the likelihood of detection in application logs.
A Quick scan in Nmap uses the -T4 -F flags to scan fewer ports at a faster timing template and does not correspond to the -sS flag used in this command.
An Intense scan uses flags such as -T4 -A -v to enable OS detection, version detection, script scanning, and traceroute, none of which appear in this command.
The -sS flag instructs Nmap to send SYN packets and, upon receiving a SYN-ACK, immediately reply with a RST to tear down the connection before it is fully established - a half-open technique that avoids creating a full session entry in many application-layer logs. The additional flags -n (skip DNS resolution) and -P0 (assume hosts are up, skip ping) further reduce the scan's footprint and make it harder to detect.
A Comprehensive scan would include a much broader flag set such as -A and full port range (-p-), which are absent from this command.
Concept tested: Nmap SYN stealth scan identification (-sS flag)
Source: https://nmap.org/book/synscan.html
Topics
Community Discussion
No community discussion yet for this question.