nerdexam
GIAC

GCIH · Question #556

Which of the following devices would return information about internal targets during an ACK scan?

The correct answer is A. A firewall that does not monitor the connection state of an inbound packet. An ACK scan is particularly useful in getting through simple router-based firewalls. If a router allows established connections in (and is not using any stateful inspection), an attacker can use ACK scans to send packets into the network. A border device (firewall, advanced route

Reconnaissance, Scanning, and Enumeration

Question

Which of the following devices would return information about internal targets during an ACK scan?

Options

  • AA firewall that does not monitor the connection state of an inbound packet
  • BA web-proxy that allows only outbound connections over tcp/8080
  • CAn IDS connected to a mirror port of the border router
  • DA border device that drops inbound connections that use a flag other than SYN

How the community answered

(47 responses)
  • A
    68% (32)
  • B
    6% (3)
  • C
    17% (8)
  • D
    9% (4)

Explanation

An ACK scan is particularly useful in getting through simple router-based firewalls. If a router allows established connections in (and is not using any stateful inspection), an attacker can use ACK scans to send packets into the network. A border device (firewall, advanced router, etc.) that requires state for inbound connections will be definition drop inbound packets with the ACK flag, negating the effectiveness of an ACK scan. A web-proxy that only allows outbound connections will ignore an ACK scan. An IDS connected to a mirror port does not have an IP address to target with an ACK scan nor is there anything behind the IDS to map.

Topics

#ACK scan#stateless firewall#port scanning#firewall bypass

Community Discussion

No community discussion yet for this question.

Full GCIH Practice