You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23 live
systems and after scanning each of them you notice that they all show port 21 in closed state.
What should be the next logical step that should be performed?
A.
Connect to open ports to discover applications.
B.
Perform a ping sweep to identify any additional systems that might be up.
C.
Perform a SYN scan on port 21 to identify any additional systems that might be up.
D.
Rescan every computer to verify the results.
Explanation:
As ICMP is blocked you’ll have trouble determining which computers are up and
running by using a ping sweep. As all the 23 computers that you had discovered earlier had port
21 closed,probably any additional,previously unknown,systems will also have port 21 closed. By
running a SYN scan on port 21 over the target network you might get replies from additional
systems.
is it C?
Why not A?
We can connect to open ports to gather banner and determining OS, Service, Application. Why not can do?
C is the answer.
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.
This technique is often referred to as half-open scanning, because you don’t open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection (see http://nmap.org/misc/split-handshake.pdf).
Since “after scanning each of them,they all show port 21 in closed state” ,
why need I scan on port 21 again (by using SYN scan)?
Because port 21 is not a secured port..if they haven’t filtered the port u can easily gab what info u want and to reach ur target…so p21 is in closed state for icmp scan …if it is filtered in a firewall,.. it might be blocked icmp. U can go through firewall using SYN Scan(Half scan) and check if p21 is in open or closed.
U can go through other open ports after ths..before u have to conform that p21 is closed.