GCIH · Question #786
Why is a nmap SYN scan useful for network scanning?
The correct answer is C. The scan is stealthy because most hosts do not log the connection. A nmap SYN scan (half-open scan) never completes the TCP three-way handshake, which reduces its visibility to host-based logging systems. This makes it more stealthy than a full TCP connect scan.
Question
Why is a nmap SYN scan useful for network scanning?
Options
- AIt includes application-specific payloads for certain ports
- BThe entire TCP handshake is completed for each port in the scan
- CThe scan is stealthy because most hosts do not log the connection
- DIt tries to determine the version number of the program discovered on the listening port
How the community answered
(15 responses)- A7% (1)
- B7% (1)
- C87% (13)
Why each option
A nmap SYN scan (half-open scan) never completes the TCP three-way handshake, which reduces its visibility to host-based logging systems. This makes it more stealthy than a full TCP connect scan.
Sending application-specific payloads to specific ports describes nmap script-based or service probing scans, not the SYN scan technique.
Completing the entire TCP handshake describes the nmap full TCP connect scan (-sT), which is the opposite of what a SYN scan does.
The SYN scan sends a SYN packet and, upon receiving a SYN-ACK, immediately sends a RST to tear down the connection before it is fully established. Because no complete TCP session is formed, many operating systems and older logging solutions do not record the attempt, making it significantly harder to detect than a full connect scan (-sT).
Determining the version number of a listening service describes nmap version detection (-sV flag), which is a separate scan type unrelated to SYN scanning.
Concept tested: Nmap SYN half-open scan stealth behavior
Source: https://nmap.org/book/synscan.html
Topics
Community Discussion
No community discussion yet for this question.