nerdexam
EC-Council

312-50V11 · Question #549

During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of

The correct answer is C. Stateless. When an ACK scan returns 'unfiltered,' it means the firewall passed the ACK packet without tracking connection state, which is characteristic of stateless packet inspection.

Scanning Networks

Question

During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting?

Options

  • AHost
  • BStateful
  • CStateless
  • DApplication

How the community answered

(19 responses)
  • A
    5% (1)
  • C
    84% (16)
  • D
    11% (2)

Why each option

When an ACK scan returns 'unfiltered,' it means the firewall passed the ACK packet without tracking connection state, which is characteristic of stateless packet inspection.

AHost

Host-based inspection refers to security controls running on the endpoint itself, not a firewall packet inspection methodology.

BStateful

A stateful firewall maintains a connection state table and would drop an unsolicited ACK packet - no matching SYN/SYN-ACK - causing NMAP to report the port as 'filtered,' not 'unfiltered.'

CStatelessCorrect

A stateless (packet filter) firewall evaluates each packet independently against static rules without maintaining a connection state table. When NMAP sends an ACK packet with no prior SYN, a stateless firewall has no record of an established connection to check against and may permit the packet based solely on port rules, causing NMAP to report the port as 'unfiltered.' A stateful firewall would recognize the ACK as belonging to no known session and drop it, reporting the port as 'filtered.'

DApplication

Application-level inspection performs deep packet inspection of payload content at layer 7 and would similarly be able to identify and block illegitimate ACK packets.

Concept tested: NMAP ACK scan revealing stateless firewall behavior

Source: https://nmap.org/book/scan-methods-ack-scan.html

Topics

#ACK scan#NMAP#stateless inspection#firewall fingerprinting

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice