C It is a stateful firewall

ACK -> no response = filtered ACK -> RST/ACK = unfiltered

Sending an ACK probe packet with a random sequence number and getting no response from the target means that the port is filtered (stateful firewall is present); an RST response from the target means that the port is not filtered (no firewall is present).CEH pg 204

if ACK flg filters / probed and NO RST REPSONSE ---> PORT IS FILTERED Stateful Firewall If ACK flg Filters / probed and RST RESPONSE--> PORT is filtered.---> NO FIREWALL PRESENT. CEH v12 pg 302/2113. ANSWER is C

The correct option is C. Si se envía un segmento TCP ACK a un puerto cerrado en un firewall y no se recibe una respuesta RST, se puede inferir que se trata de un firewall stateful.

If you send a TCP ACK segment to a known closed port on a firewall but it does not respond with an RST, and you receive no other response, it is likely that the firewall is configured to silently drop the incoming packet. This behavior is characteristic of stateful firewalls, which maintain a table of connections and only allow traffic that belongs to an established connection or meets specific criteria defined in the firewall rules. Therefore, the correct answer is C. It is a stateful firewall.

Stateful because it is filtering out the port.

ACK Flag Probe scan Send TCP probe packets with the ACK flag set to a remote device and then analyze the header information (TTL and WINDOW field) of the received RST packets to find out if the port is open or closed. # Nmap -sA -v <target IP address> (P.311/295)

the answer is C

Attackers send an ACK probe packet with a random sequence number, and no response implies that the port is filtered (stateful firewall is present), whereas an RST response means that the port is not filtered. Page 295 - ACK Flag Probe Scan.

From nmap docs: "When scanning unfiltered systems, open and closed ports will both return a RST packet." In this question we know that the port is closed, so the response would have been RST if the sending ACK packet isn't filtrated. Because there is no response, the sending ACK packet has been filtrated. That means that something is filtrating this packet (either stateful or stateless firewall). From Victor's Udemy: "Stateful firewalls will discard out-of-sync ACK packets, leading to no response. When this occurs, the port is marked as filtered." With this, I am going with C, stateful firewall

D correct

I'm also going with D and this is why: The question says that you are knocking on a known closed port on the Firewall. This is important. If you know beforehand the port is closed on the firewall itself, you won't get any response regardless if it's a stateless or statefull firewall. What most people are saying about detecting stateful firewalls is with regards to an open port on the firewall... If the port is open on the firewall and you try to inject an ACK packet, a stateful firewall will understand that's an unsolicited packet and discard it, so you get no response from the server itself.

it can be also stateless FW, so it does not say anything.

Attackers send an ACK probe packet with a random sequence number, and no response implies that the port is filtered (stateful firewall is present)

C is the correct answer: Attackers send an ACK probe packet with a random sequence number, and no response implies that the port is filtered (stateful firewall is present), whereas an RST response means that the port is not filtered "CEH 312-50v11 page 311"

Answer Is C