GIAC
GCIH · Question #786
GCIH Question #786: Real Exam Question with Answer & Explanation
The correct answer is C: The scan is stealthy because most hosts do not log the connection. A nmap SYN scan (half-open scan) never completes the TCP three-way handshake, which reduces its visibility to host-based logging systems. This makes it more stealthy than a full TCP connect scan.
Reconnaissance, Scanning, and Enumeration
Question
Why is a nmap SYN scan useful for network scanning?
Options
- AIt includes application-specific payloads for certain ports
- BThe entire TCP handshake is completed for each port in the scan
- CThe scan is stealthy because most hosts do not log the connection
- DIt tries to determine the version number of the program discovered on the listening port
Explanation
A nmap SYN scan (half-open scan) never completes the TCP three-way handshake, which reduces its visibility to host-based logging systems. This makes it more stealthy than a full TCP connect scan.
Common mistakes.
- A. Sending application-specific payloads to specific ports describes nmap script-based or service probing scans, not the SYN scan technique.
- B. Completing the entire TCP handshake describes the nmap full TCP connect scan (-sT), which is the opposite of what a SYN scan does.
- D. Determining the version number of a listening service describes nmap version detection (-sV flag), which is a separate scan type unrelated to SYN scanning.
Concept tested. Nmap SYN half-open scan stealth behavior
Reference. https://nmap.org/book/synscan.html
Topics
#nmap#SYN scan#stealth scanning#half-open scan
Community Discussion
No community discussion yet for this question.