Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
If you send a TCP ACK segment to a known closed port on a firewall but it does not respond with an RST, what do you know about the firewall you are scanning?
A.
It is a non-stateful firewall.
B.
There is no firewall in place.
C.
It is a stateful firewall.
D.
This event does not tell you anything about the firewall.
Sending an ACK probe packet with a random sequence number and getting no response from the target means that the port is filtered (stateful firewall is present); an RST response from the target means that the port is not filtered (no firewall is present).CEH pg 204
if ACK flg filters / probed and NO RST REPSONSE ---> PORT IS FILTERED Stateful Firewall
If ACK flg Filters / probed and RST RESPONSE--> PORT is filtered.---> NO FIREWALL PRESENT.
CEH v12 pg 302/2113. ANSWER is C
The correct option is C.
Si se envía un segmento TCP ACK a un puerto cerrado en un firewall y no se recibe una respuesta RST, se puede inferir que se trata de un firewall stateful.
If you send a TCP ACK segment to a known closed port on a firewall but it does not respond with an RST, and you receive no other response, it is likely that the firewall is configured to silently drop the incoming packet. This behavior is characteristic of stateful firewalls, which maintain a table of connections and only allow traffic that belongs to an established connection or meets specific criteria defined in the firewall rules. Therefore, the correct answer is C. It is a stateful firewall.
ACK Flag Probe scan
Send TCP probe packets with the ACK flag set to a remote device and then analyze the header information (TTL and WINDOW field) of the received RST packets to find out if the port is open or closed.
# Nmap -sA -v <target IP address> (P.311/295)
Attackers send an ACK probe packet with a random sequence number, and no response implies that the port is filtered (stateful firewall is present),
whereas an RST response means that the port is not filtered.
Page 295 - ACK Flag Probe Scan.
From nmap docs:
"When scanning unfiltered systems, open and closed ports will both return a RST packet."
In this question we know that the port is closed, so the response would have been RST if the sending ACK packet isn't filtrated. Because there is no response, the sending ACK packet has been filtrated. That means that something is filtrating this packet (either stateful or stateless firewall).
From Victor's Udemy:
"Stateful firewalls will discard out-of-sync ACK packets, leading to no response. When this occurs, the port is marked as filtered."
With this, I am going with C, stateful firewall
I'm also going with D and this is why:
The question says that you are knocking on a known closed port on the Firewall. This is important.
If you know beforehand the port is closed on the firewall itself, you won't get any response regardless if it's a stateless or statefull firewall.
What most people are saying about detecting stateful firewalls is with regards to an open port on the firewall... If the port is open on the firewall and you try to inject an ACK packet, a stateful firewall will understand that's an unsolicited packet and discard it, so you get no response from the server itself.
Your logic is good, but unfortunately that is incorrect. If you have a quick google search of TCP ACK scans - you will see that a port responds with RST regardless of it is closed or open :)
source: https://iphelix.medium.com/port-scanning-techniques-7661839d182e
C is the correct answer: Attackers send an ACK probe packet with a random sequence number, and no response implies that the port is filtered (stateful firewall is present), whereas an RST response means that the port is not filtered "CEH 312-50v11 page 311"
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
AmrAwad
Highly Voted 3 years ago_Storm_
Highly Voted 2 years, 11 months agoMH2
Most Recent 7 months, 1 week agokunnu
7 months, 2 weeks agovictorfs
11 months, 2 weeks agosriharik0908
1 year agoDar87
1 year, 5 months agoDaniel8660
1 year, 6 months agoflinux
1 year, 7 months agoMMtc
1 year, 9 months agostrale
1 year, 10 months agokhan1998
1 year, 10 months agokhan1998
1 year, 10 months agobolshoibooze
1 year, 10 months agoJbarazani
1 year, 6 months agopeterpanko
1 year, 11 months agojosek19
2 years agoKruHacker01
2 years, 2 months agoCrash_Override
2 years, 2 months ago