GIAC
GCIH · Question #357
GCIH Question #357: Real Exam Question with Answer & Explanation
The correct answer is B: Host discovery. Sending packets with unusual TCP flag combinations such as ACK/FIN/PSH/URG to closed ports and SYN/FIN/URG/PSH to open ports is a technique used to confirm a host is alive and identify which ports are active.
Reconnaissance, Scanning, and Enumeration
Question
In the network logs there are ACK/FIN/PSH/URG packets from a host going to a closed port, and SYN/FIN/URG/PSH packets going to open ports. What is the host likely doing?
Options
- AActive OS fingerprinting
- BHost discovery
- CPassive OS fingerprinting
- DIDS evasion
Explanation
Sending packets with unusual TCP flag combinations such as ACK/FIN/PSH/URG to closed ports and SYN/FIN/URG/PSH to open ports is a technique used to confirm a host is alive and identify which ports are active.
Common mistakes.
- A. Active OS fingerprinting specifically examines response characteristics such as TTL values, TCP window sizes, and option ordering to identify the underlying operating system, which is a deeper analysis than simply probing port states with unusual flags.
- C. Passive OS fingerprinting involves analyzing existing traffic without sending any packets, so a host that is actively transmitting probe packets cannot be performing passive fingerprinting by definition.
- D. IDS evasion involves crafting packets specifically to bypass detection signatures, but systematically probing both open and closed ports across multiple flag combinations is more indicative of active scanning than a targeted evasion strategy.
Concept tested. TCP flag-based host and port discovery scanning techniques
Reference. https://nmap.org/book/man-port-scanning-techniques.html
Topics
#TCP flag scanning#host discovery#abnormal flag combinations#port scanning
Community Discussion
No community discussion yet for this question.