During an internal vulnerability assessment, an analyst must quickly identify which hosts in the 10.20.5.0/24 subnet are online and enumerate the TCP services they expose, while minimizing traffic by leaving each connection half-open instead of completing the three-way handshake. Which Nmap scan type best meets these requirements?
Perform a full TCP connect scan with the -sT option
Launch a UDP scan with the -sU option to identify services
Execute a TCP SYN (half-open) scan using the -sS option
Run a NULL scan using the -sN option to probe firewall rules
A TCP SYN scan (-sS) sends only the initial SYN packet and interprets the target's reply before resetting the connection, so the full three-way handshake is never completed. This half-open technique is faster and less intrusive than a full TCP connect scan, yet still provides reliable host and port information. UDP scans and NULL scans do not enumerate TCP services efficiently, and a TCP connect scan generates more traffic because every connection is fully established.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some specific features of Nmap that assist in network discovery?
Open an interactive chat with Bash
How does Nmap differentiate between live hosts and inactive devices on a network?
Open an interactive chat with Bash
Can Nmap be used for vulnerability scanning as well, and if so, how?