To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established he sends RST packets to those hosts to stop the session. Winston has done this to see how his intrusion detection system will log the traffic. What type of scan is Winston attempting here?
A.
Winston is attempting to find live hosts on your company’s network by using an XMAS scan.
B.
He is utilizing a SYN scan to find live hosts that are listening on your network.
C.
This type of scan he is using is called a NULL scan.
D.
He is using a half-open scan to find live hosts on your network.
a SYN scan is the same as a Half-Open scan…
http://en.wikipedia.org/wiki/Port_scanner#SYN_scanning
And because answer B also states that the hosts “are listening on your network”, that answer is more correct then answer D
Great!
I agree rednael, you are right. However, I can also see why D would be correct simply because of this statement “To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range”. Very tricky, could go both ways, but this could mean she is looking for “live hosts”.
EDIT: and you are capable of doing host discovery via TCP
I think that the answer is not 100% right, even is the closest. I consider SYN scan, Half open and full connect different scans, the matter is what you respond:
– SYN Scan: You send only the first SYN, after the SYN/ACK you do not respond. You can think as is the same as FIN scan, or ACK scan, where only one packet with one flag active is sent.
– Half Open: You send the first SYN, after the SYN/ACK you respond with RST.
– Full Connect: You send the first SYN, after the SYN/ACk you responde with the ACK.
This is not the way is seen in CEH, it’s a more logical approach.
So, which of the two is the answer guys? Please help!
I would go with option D.
I think the trick is in the answers. for example when the answer B says looking for live hosts that are listening on your network. it is like saying there might be live hosts that are not listening and can not be identified!
and normally we use the listen part for hosts with services running like HTTP, FTP. Hosts with services open for others to connect to.
Option D. simply says to find live hosts on your network. which is a simple answer not complicated with any additions like Option B.
Guys! can you see this.
http://www.aiotestking.com/ec-council/2011/08/what-type-of-scan-is-hayden-attempting-here/
same question different answer
and
http://www.aiotestking.com/comptia/2012/08/which-of-the-following-is-a-computer-program-that-is-designed-to-assess-computers-computer-systems-networks-or-applications-for-weaknesses/
“A SYN scan is a type of TCP scanning. This scan type is also known as ‘half-open scanning’ because it does not open a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it responds with a SYN-ACK packet. The scanner host responds with an RST packet that causes the connector before the handshake is completed”
and the answer is……
d