Exam 312-50v13 topic 1 question 84 discussion

Key Context for ACK Flag Probe Scans Firewall Evasion: ACK probes are useful for bypassing simple firewalls that allow outbound traffic but restrict inbound connections. By sending ACK packets (which resemble response packets), they can elicit responses from hosts behind the firewall. Host Detection: While not definitive (some firewalls may drop all ACK packets), this method is more likely to succeed than other scans when dealing with restrictive rules. Stateful Firewalls: If the firewall tracks connection states, an ACK packet for an unsolicited connection may be rejected, but the response (or lack thereof) can still provide clues about host activity.

B. In the ARP ping scan, the ARP packets are sent for discovering all active devices in the IPv4 range even though the presence of such devices is hidden by restrictive firewalls.

ARP ping scan is correct. The rest are used primary for port scanning, not host discovery.

Correct: A (UDP scan) Question: Discovering devices hidden by RESTRICTIVE FW - for me it means you are NOT inside the network but behind the FW. So you can't use ARP resolution, which is L2 protocol working only inside the LAN. As FW is restrictive (supposedly stateful), it will for sure block incomplete TCP sessions - i. e. ACK flag scan will be blocked by FW (no session exists on FW). TCP Maimon scan will be blocked by FW as well - like ACK scan, Maimon is also based on incomplete TCP session with FIN/ACK flags set (no session exists on FW). UDP scan: • Many FWs struggle to track UDP sessions (UDP is stateless, no handshake like TCP). • Some FWs mistakenly assume that UDP is harmless and allow it without strict filtering. • UDP scanning can identify misconfigured firewall rules, revealing hidden services. • Many FWs focus on filtering TCP traffic because most applications use TCP. • UDP is often less restricted as it is required for essential services like DNS (53), SNMP (161) and DHCP (67/68). • UDP scanning can identify open services that a FW does not properly restrict.

B. ARP ping scan. ARP (Address Resolution Protocol) ping scan works at the link layer (Layer 2) and does not rely on IP-based scanning techniques like TCP or UDP. Since firewalls typically block ICMP pings and other IP-based scans, an ARP scan bypasses these restrictions by directly querying MAC addresses in the local network. This method is highly effective in discovering all active hosts on a LAN because all devices must respond to ARP requests.

ACK scan

An ACK flag probe scan is used to discover active hosts behind a restrictive firewall by sending TCP packets with the ACK flag set.

This correct answer is ARP ping scan

How it works: Sends ARP (Address Resolution Protocol) requests to discover devices on the same local network segment. Use case: Highly effective for host discovery within the same subnet because ARP is a layer 2 protocol and is rarely blocked by firewalls. Suitability: This is the best choice for discovering active devices hidden by a restrictive firewall, especially if the target network is within the same subnet.