nerdexam
ExamsGCIHQuestions#154
GIAC

GCIH · Question #154

GCIH Question #154: Real Exam Question with Answer & Explanation

The correct answer is A: Filtered. In an Nmap XMAS scan, ports that return no response are classified as open or filtered because a firewall may be silently dropping the probe packets. Filtered is the answer here because firewalls blocking packets is the most common reason no RST is returned when most ports are un

Reconnaissance, Scanning, and Enumeration

Question

When you conduct the XMAS scanning using Nmap, you find that most of the ports scanned do not give a response. What can be the state of these ports?

Options

  • AFiltered
  • BOpen
  • CClosed

Explanation

In an Nmap XMAS scan, ports that return no response are classified as open or filtered because a firewall may be silently dropping the probe packets. Filtered is the answer here because firewalls blocking packets is the most common reason no RST is returned when most ports are unresponsive.

Common mistakes.

  • B. Open ports do technically produce no response in a XMAS scan per RFC 793, but if most ports showed no response, attributing all to 'open' is not accurate - Nmap itself marks such ports 'open|filtered' precisely because it cannot distinguish them without additional context.
  • C. Closed ports respond to XMAS scan probes with a TCP RST/ACK packet, which is the opposite of no response.

Concept tested. Nmap XMAS scan port state interpretation

Reference. https://nmap.org/book/scan-methods-null-fin-xmas-scan.html

Topics

#XMAS scan#port scanning#Nmap#filtered ports

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice