nerdexam
EC-Council

312-50V13 · Question #547

A skilled ethical hacker was assigned to perform a thorough OS discovery on a potential target. They decided to adopt an advanced fingerprinting technique and sent a TCP packet to an open TCP port wit

The correct answer is B. Qrest 1: The test was conducted because SYN and ECN-Echo flags enabled to allow the hacker. Explanation Option B is correct because in Nmap's OS fingerprinting methodology, Test 1 (T1) involves sending a TCP packet with the SYN and ECN-Echo (ECE) flags enabled to an open TCP port, and the specific response flags observed (SYN + ECN-Echo) are characteristic of this test,

Submitted by joshua94· Mar 6, 2026Scanning Networks

Question

A skilled ethical hacker was assigned to perform a thorough OS discovery on a potential target. They decided to adopt an advanced fingerprinting technique and sent a TCP packet to an open TCP port with specific flags enabled. Upon receiving the reply, they noticed the flags were SYN and ECN-Echo. Which test did the ethical hacker conduct and why was this specific approach adopted?

Options

  • ATest 3: The test was executed to observe the response of the target system when a packet with
  • BQrest 1: The test was conducted because SYN and ECN-Echo flags enabled to allow the hacker
  • CTest 2: This test was chosen because a TCP packet with no flags enabled is known as a NULL
  • DTest 6; The hacker selected this test because a TCP packet with the ACK flag enabled sent to a

How the community answered

(45 responses)
  • A
    16% (7)
  • B
    76% (34)
  • C
    4% (2)
  • D
    4% (2)

Explanation

Explanation

Option B is correct because in Nmap's OS fingerprinting methodology, Test 1 (T1) involves sending a TCP packet with the SYN and ECN-Echo (ECE) flags enabled to an open TCP port, and the specific response flags observed (SYN + ECN-Echo) are characteristic of this test, designed to probe how the target's TCP stack responds to ECN-capable connection attempts, which reveals OS-specific behavior.

Option A is incorrect because Test 3 involves sending a TCP packet with different flag combinations (typically SYN, URG, PSH, and FIN), not the SYN/ECN-Echo combination described. Option C is incorrect because Test 2 uses a NULL packet (no flags set), which is the opposite of having flags enabled. Option D is incorrect because Test 6 specifically uses the ACK flag to probe a closed port, not an open one with SYN/ECN-Echo flags.

Memory Tip: Think of T1 = "First Handshake with ECN" - Test 1 is the first probe and uses the SYN flag (the first flag in a TCP handshake), paired with ECN-Echo to test advanced TCP capabilities. If you remember that SYN starts both a handshake and the test sequence, you'll always associate SYN+ECN-Echo with Test 1.

Topics

#OS Fingerprinting#TCP Flags#ECN Scanning#Network Scanning

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice