nerdexam
GIAC

GCIA · Question #99

GCIA Question #99: Real Exam Question with Answer & Explanation

The correct answer is D. FIN scan. A FIN scan sends TCP packets with only the FIN flag set to probe port status, exploiting RFC 793 behavior where closed ports respond with RST and open ports silently drop the packet.

Question

Adam, a malicious hacker is running a scan. Statistics of the scan is as follows: Which of the following types of port scan is Adam running?

Exhibit

GCIA question #99 exhibit

Options

  • AXMAS scan
  • BACK scan
  • CIdle scan
  • DFIN scan

Explanation

A FIN scan sends TCP packets with only the FIN flag set to probe port status, exploiting RFC 793 behavior where closed ports respond with RST and open ports silently drop the packet.

Common mistakes.

  • A. An XMAS scan sets the FIN, PSH, and URG flags simultaneously (lighting up the packet 'like a Christmas tree'), which is a different flag combination from a FIN-only scan.
  • B. An ACK scan sends packets with only the ACK flag to map firewall rulesets by determining whether ports are filtered or unfiltered, not to identify open vs. closed ports.
  • C. An idle scan is an advanced technique that uses a third-party 'zombie' host's IP ID sequence to stealthily probe a target, which is fundamentally different from a simple FIN-flagged packet scan.

Concept tested. TCP FIN scan port scanning technique

Reference. https://nmap.org/book/man-port-scanning-techniques.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIA Practice