CompTIA PenTest+ Practice Test

The TCP scan that is most effectively used to determine what services are allowed through a firewall by sending TCP packets is the ACK scan. This scanning technique takes advantage of the TCP handshake process and the way TCP/IP stacks respond to unexpected packets.

When an ACK packet is sent to a port, the expected responses differentiate between open and closed ports. If a firewall or a filtering system does not receive a packet that matches a security policy, it may respond differently than if a packet is allowed through.

For instance, a closed port will typically respond with a RST (reset) packet, indicating that there’s no service running on that port. However, if the port is open, the response may be suppressed by the firewall, leading to no response at all. This behavior can help an attacker infer which ports are being filtered versus which are open, thus revealing more about the firewall’s rules.

The other scanning methods, while useful for various purposes, are motivated by different mechanics or objectives. FIN and NULL scans can also be employed stealthily, but they do not provide definitive insight about services allowed through a firewall as effectively as an ACK scan. SYN scans, typically used to initiate a TCP handshake, focus more on identifying open ports rather than understanding the filtering