Scan Types & Responses

Question 1

TCP

Answer 1

Connect Runs through a full connection (three-way handshake) on all ports. Easiest to detect, but possibly the most reliable.

Open ports will respond with a SYN/ACK, closed ports with a RST/ACK.

Question 2

SYN

Answer 2

Known as a “half-open scan.” Only SYN packets are sent to ports (no completion of the three-way handshake ever takes place).

Open ports will respond with a SYN/ACK, closed ports with a RST/ACK.

Question 3

FIN

Answer 3

Scans run the communications setup in reverse, sending a packet with the FIN flag set.

Closed ports will respond with RST, whereas open ports won’t respond at all.

Question 4

XMAS

Answer 4

A Christmas scan is so named because the packet is sent with multiple flags (FIN, URG, and PSH) set.

Closed ports will respond with RST, whereas open ports won’t respond at all

Question 5

ACK

Answer 5

Used mainly for Unix/Linux-based systems.

Open ports will send RST, closed ports, no answer

Question 6

IDLE

Answer 6

Uses a spoofed IP address to elicit port responses during a scan. Designed for stealth, this scan uses a SYN flag and monitors responses as with a SYN scan.

Open = SYN/ACK, Closed = RST/ACK

Question 7

NULL

Answer 7

Almost the opposite of the XMAS scan. The NULL scan sends packets with no flags set.

Responses will vary, depending on the OS and version, but NULL scans are designed for Unix/Linux machines