During an engagement, a penetration tester wants to enumerate open TCP services on an internal server while minimizing the chance of triggering the company's network-based IDS. Which port-scanning technique should the tester use to reduce logging and IDS alerts?
A SYN (half-open) scan sends only the initial SYN packet and, after receiving a SYN-ACK, immediately resets the connection instead of completing the three-way handshake. Because the connection is never fully established, many services and operating-system log routines do not record the attempt, and basic IDS signatures that rely on completed sessions are bypassed. In contrast, a TCP connect scan finishes the handshake and is almost always logged, ACK scans use unusual flag combinations that many IDS signatures monitor, and UDP scans typically require multiple probes and elicit ICMP responses, producing conspicuous traffic. Therefore, the SYN scan is least likely to be detected.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SYN scanning and why is it stealthier than other methods?
Open an interactive chat with Bash
How does SYN scanning compare to a TCP Connect scan?
Open an interactive chat with Bash
Why are UDP-based scanning methods more detectable?