To see how some of the hosts on your network react, Winston sends out SYN packets to an IP
range. A number of IPs respond with a SYN/ACK response. Before the connection is established
he sends RST packets to those hosts to stop the session. Winston has done this to see how his
intrusion detection system will log the traffic. What type of scan is Winston attempting here?
A.
Winston is attempting to find live hosts on your company’s network by using an XMAS scan.
B.
He is utilizing a SYN scan to find live hosts that are listening on your network.
C.
This type of scan he is using is called a NULL scan.
D.
He is using a half-open scan to find live hosts on your network.
Why is B wrong?
Correct answer should be B or D.
SYN scanning
SYN scan is another form of TCP scanning. Rather than use the operating system’s network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as “half-open scanning”, because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed. If the port is closed but unfiltered, the target will instantly respond with a RST packet.