312-50V13 · Question #352
An attacker scans a host with the below command. Which three flags are set? # nmap sX host.domain.com
The correct answer is B. This is Xmas scan. URG, PUSH and FIN are set.. The nmap -sX command performs an Xmas scan, which sets the URG, PUSH, and FIN flags in the TCP header.
Question
Options
- AThis is SYN scan. SYN flag is set.
- BThis is Xmas scan. URG, PUSH and FIN are set.
- CThis is ACK scan. ACK flag is set.
- DThis is Xmas scan. SYN and ACK flags are set.
How the community answered
(29 responses)- A3% (1)
- B93% (27)
- C3% (1)
Why each option
The `nmap -sX` command performs an Xmas scan, which sets the URG, PUSH, and FIN flags in the TCP header.
A SYN scan (nmap -sS) sets only the SYN flag, aiming to initiate a connection without fully completing the handshake.
The `nmap -sX` option specifies an Xmas scan, a type of stealth scan where the URGENT (URG), PUSH (PSH), and FIN flags are set in the TCP packet header. This unique combination of flags can elicit different responses from target systems depending on their operating system and firewall rules, providing information about port states without completing a full TCP handshake.
An ACK scan (nmap -sA) sets only the ACK flag, primarily used to map firewall rules and determine stateless vs. stateful firewalls.
An Xmas scan sets the URG, PUSH, and FIN flags, not SYN and ACK. SYN and ACK flags are used in different types of scans and the standard TCP three-way handshake.
Concept tested: Nmap scan types and TCP flags
Source: https://nmap.org/book/man-port-scanning-techniques.html
Topics
Community Discussion
No community discussion yet for this question.