A penetration tester discovers that an Nmap SYN scan against a target host returns no open ports, but a TCP connect scan reveals port 443 open. Which of the following is the most likely reason for this discrepancy?
Stateful firewalls track connections; a SYN scan sends unsolicited SYN packets that may be dropped, while a connect scan completes the handshake and appears as a normal connection.
Why this answer
The discrepancy occurs because a network firewall is performing stateful inspection. It drops unsolicited SYN packets (the first step of a SYN scan) but allows full TCP connections (SYN, SYN-ACK, ACK) to complete, as the connect scan establishes a full three-way handshake. This behavior is typical of stateful firewalls that track connection state and only permit packets belonging to established sessions.
Exam trap
The trap here is that candidates often assume a host-based firewall is the cause, but stateful network firewalls specifically differentiate between incomplete SYN probes and full TCP handshakes, making option B the correct answer.
How to eliminate wrong answers
Option A is wrong because a host-based firewall would typically block both SYN packets and full connection attempts consistently, not selectively allow full connections while dropping SYNs. Option C is wrong because ICMP filtering affects host discovery (ping sweeps), not port scan results; Nmap can still perform port scans without ICMP echo replies. Option D is wrong because while SYN scan requires root privileges, running without sudo would cause an error or fallback to connect scan, not produce a discrepancy between two scans—both would fail or both would show open ports.