Sam is a penetration tester hired by Inception Tech, a security organization. He was asked to perform port scanning on a target host in the network. While performing the given task, Sam sends FIN/ACK probes and determines that an RST packet is sent in response by the target host, indicating that the port is closed.
What is the port scanning technique used by Sam to discover open ports?
Sam used the TCP Maimon scan technique. This method involves sending TCP packets with the FIN and ACK flags set to a target port. If the port is closed, the target responds with an RST packet. If the port is open, the packet is ignored in many cases, particularly on BSD-derived systems. This scanning technique helps in determining the state of the ports based on their responses to the specialized probes.
C. TCP Maimon scan Like V11 Q170 CEH Book V12 Module 03 P302 from book : *Probe packet (FIN/ACK) ==> No response - Port is open ==> ICMP unreachable error response - Port is filtered ==> RST packet response - Port is closed
https://nmap.org/book/scan-methods-maimon-scan.html
From NMAP: The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scan, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open.
Answer is definitely C. It is clearly in the CEH book. TCP Maimon scans use a FIN/ACK probe. The people who chose D were using chatbots like ChatGPT to verify the answer. Unfortunately ChatGPT does not know what a TCP Maimon scan is at the moment so it hallucinates the answer as D.
C. TCP Maimon scan
D. ACK flag probe scan In an ACK flag probe scan, the scanner sends TCP ACK packets to various ports on the target host. If the target host responds with an RST packet, it indicates that the port is closed. However, if there is no response or a different response is received, it suggests that the port is open or filtered. The other scanning techniques mentioned are as follows: A. Xmas scan: This scan involves sending packets with the FIN, URG, and PUSH flags set, probing the target host for open ports. B. IDLE/IPID header scan: This scan examines the IP ID field in the packet header to determine if it increments predictably, indicating the presence of an open port. C. TCP Maimon scan: This scan uses the TCP Maimon technique to send packets with different flag combinations to determine the state of the port. Therefore, based on the given information, the correct answer is D. ACK flag probe scan.
IPconfig 2 weeks, 3 days ago C TCP Maimon scan This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe. ACK Flag Probe Scan Attackers send TCP probe packets with the ACK flag set to a remote device and then analyze the header information (TTL and WINDOW field) of the received RST packets to find out if the port is open or closed. Since the question says FIN/ACK probes not just ACK Flag probes the answer should be TCP Maimon scan
In an ACK flag probe scan, the scanner sends an ACK packet to a port on the target host. If the port is open, the target host will respond with an RST packet, indicating that it received the ACK packet but did not know how to handle it. If the port is closed, the target host will respond with an RST packet, indicating that it received the ACK packet but could not complete the connection. Xmas scan is a type of port scan that sends packets with the FIN, PSH, and URG flags set, while IDLE/IPID header scan and TCP Maimon scan are not commonly used port scanning techniques.
C. TCP Maimon scan
C. TCP Maimon scan
C. TCP Maimon scan
C. TCP Maimon scan This scan sends FIN/ACK probes to the target ports and determines their status based on the response. If the port is open, no response is sent back. If the port is closed, an RST packet is sent back
CEH V12 BOOK; Page 302
D. ACK flag probe scan.
Sorry, the correcto option is C. TCP Maimon scan
I choose D. ACK flag probe scan but anyone truely knows the correct answer?
C TCP Maimon scan This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe. ACK Flag Probe Scan Attackers send TCP probe packets with the ACK flag set to a remote device and then analyze the header information (TTL and WINDOW field) of the received RST packets to find out if the port is open or closed. Since the question says FIN/ACK probes not just ACK Flag probes the answer should be TCP Maimon scan