During a penetration test, you are asked to identify all live hosts on a subnet. Which Nmap scan type is most likely to evade firewalls and determine if a host is up without completing the TCP handshake?
Trap 1: Ping sweep (-sn)
Ping sweep does not scan ports; it uses ICMP/ARP to find hosts.
Trap 2: TCP connect scan (-sT)
Completes full TCP handshake; less stealthy.
Trap 3: UDP scan (-sU)
Used for UDP ports, not for stealth host discovery.
- A
Ping sweep (-sn)
Why wrong: Ping sweep does not scan ports; it uses ICMP/ARP to find hosts.
- B
SYN scan (-sS)
Correct: half-open scan that doesn't complete handshake.
- C
TCP connect scan (-sT)
Why wrong: Completes full TCP handshake; less stealthy.
- D
UDP scan (-sU)
Why wrong: Used for UDP ports, not for stealth host discovery.