During an internal vulnerability assessment, an analyst must quickly identify which hosts in the 10.20.5.0/24 subnet are online and enumerate the TCP services they expose, while minimizing traffic by leaving each connection half-open instead of completing the three-way handshake. Which Nmap scan type best meets these requirements?
Launch a UDP scan with the -sU option to identify services
Execute a TCP SYN (half-open) scan using the -sS option
Run a NULL scan using the -sN option to probe firewall rules
Perform a full TCP connect scan with the -sT option
A TCP SYN scan (-sS) sends only the initial SYN packet and interprets the target's reply before resetting the connection, so the full three-way handshake is never completed. This half-open technique is faster and less intrusive than a full TCP connect scan, yet still provides reliable host and port information. UDP scans and NULL scans do not enumerate TCP services efficiently, and a TCP connect scan generates more traffic because every connection is fully established.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the main advantage of a TCP SYN scan (-sS) over a TCP connect scan (-sT)?
Open an interactive chat with Bash
Why is the -sU option not suitable for enumerating TCP services?
Open an interactive chat with Bash
What is the role of a NULL scan (-sN) and why is it not efficient for TCP service enumeration?