What type of scan is Winston attempting here?

To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established he sends RST packets to those hosts to stop the session. Winston has done this to see how his intrusion detection system will log the traffic. What type of scan is Winston attempting here?

To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established he sends RST packets to those hosts to stop the session. Winston has done this to see how his intrusion detection system will log the traffic. What type of scan is Winston attempting here?

A.
Winston is attempting to find live hosts on your company’s network by using an XMAS scan.

B.
He is utilizing a SYN scan to find live hosts that are listening on your network.

C.
This type of scan he is using is called a NULL scan.

D.
He is using a half-open scan to find live hosts on your network.

Show Hint

Leave a Reply 9

Your email address will not be published. Required fields are marked *

leo

leo

I agree rednael, you are right. However, I can also see why D would be correct simply because of this statement “To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range”. Very tricky, could go both ways, but this could mean she is looking for “live hosts”.

Reply

leo

leo

EDIT: and you are capable of doing host discovery via TCP

Reply

Gio

Gio

I think that the answer is not 100% right, even is the closest. I consider SYN scan, Half open and full connect different scans, the matter is what you respond:
– SYN Scan: You send only the first SYN, after the SYN/ACK you do not respond. You can think as is the same as FIN scan, or ACK scan, where only one packet with one flag active is sent.
– Half Open: You send the first SYN, after the SYN/ACK you respond with RST.
– Full Connect: You send the first SYN, after the SYN/ACk you responde with the ACK.

This is not the way is seen in CEH, it’s a more logical approach.

Reply

Chino

Chino

So, which of the two is the answer guys? Please help!

Reply

sys-halt

sys-halt

I would go with option D.

I think the trick is in the answers. for example when the answer B says looking for live hosts that are listening on your network. it is like saying there might be live hosts that are not listening and can not be identified!

and normally we use the listen part for hosts with services running like HTTP, FTP. Hosts with services open for others to connect to.

Option D. simply says to find live hosts on your network. which is a simple answer not complicated with any additions like Option B.

Reply

Eduardo

Eduardo

Guys! can you see this.

http://www.aiotestking.com/ec-council/2011/08/what-type-of-scan-is-hayden-attempting-here/

same question different answer
and

http://www.aiotestking.com/comptia/2012/08/which-of-the-following-is-a-computer-program-that-is-designed-to-assess-computers-computer-systems-networks-or-applications-for-weaknesses/

“A SYN scan is a type of TCP scanning. This scan type is also known as ‘half-open scanning’ because it does not open a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it responds with a SYN-ACK packet. The scanner host responds with an RST packet that causes the connector before the handshake is completed”

and the answer is……

Reply