During an internal penetration test you cannot get any replies from hosts in a DMZ using ICMP echo requests, and Nmap's default host-discovery probes also fail. Packet captures reveal that the firewall allows inbound traffic only to TCP port 443 for published HTTPS services while dropping all other unsolicited packets. Which Nmap host-discovery probe would most effectively identify live systems in this environment?
Transmit ARP requests with -PR to locate active MAC addresses in the DMZ.
Use a UDP ping to port 53 with -PU53 to trigger ICMP port-unreachable replies.
Send a TCP SYN ping to port 443 using Nmap option -PS443.
Issue an ICMP timestamp request ping with -PP to detect responding hosts.
Because the firewall blocks ICMP and denies unsolicited traffic to every port except TCP 443, the most reliable approach is to send a TCP SYN host-discovery probe directly to port 443 with the -PS443 option. The firewall will pass this packet to the target. If the service on 443 is open, the host responds with a SYN/ACK; if it is closed, it replies with a RST. Either response confirms the host is up. ARP requests (-PR) work only on the local broadcast domain and will not traverse the DMZ firewall. A UDP ping to port 53 (-PU53) will be dropped because the rule permits only TCP, not UDP. An ICMP timestamp request (-PP) will also be filtered since ICMP is blocked, so these probes will not reveal live hosts.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is TCP SYN and how does it work in Nmap host discovery?
Open an interactive chat with Bash
Why does the ARP request (-PR) not work in this scenario?
Open an interactive chat with Bash
What is the limitation of using ICMP timestamp requests (-PP) in host discovery behind a firewall?
Open an interactive chat with Bash
What is TCP SYN scanning and how does it work?
Open an interactive chat with Bash
Why doesn't ARP scanning work across a DMZ firewall?
Open an interactive chat with Bash
What is the difference between ICMP echo requests and ICMP timestamp requests?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Reconnaissance Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .