A penetration tester is analyzing a Bash script that performs network scanning. The script contains the following command: 'for ip in $(seq 1 254); do hping3 -S -p 22 -c 1 $TARGET_SUBNET.$ip 2>/dev/null | grep -q "flags=SA" && echo "$TARGET_SUBNET.$ip: open"; done'. What is the primary purpose of this script?

Perform a vulnerability assessment against SSH services

A vulnerability assessment would involve sending specific probes or payloads; this script only checks if the port is open.

Execute an ICMP ping sweep to discover live hosts

ICMP ping sweeps use ICMP echo requests, not TCP packets. This script uses TCP SYN to port 22.

Complete a full TCP three-way handshake and log successful connections

The script only sends SYN and waits for SYN-ACK; it does not send the final ACK, so it is a half-open scan, not a full connection.

What does this PT0-002 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Conduct a TCP SYN scan to identify hosts with port 22 open — The script uses hping3 to send a TCP SYN packet (-S flag) to port 22 on each IP in a subnet. It then checks for a SYN-ACK response (flags=SA) to determine if the port is open. This is a SYN scan, which is a common stealth scan technique because it does not complete the TCP handshake. Port 22 is typically SSH. So the script is scanning a /24 subnet for hosts with SSH port open. It is not a vulnerability scanner (no payload beyond SYN), not a ping sweep (uses TCP, not ICMP), and not a full connection scan (does not send ACK to complete handshake).

What should I do if I get this PT0-002 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.