A penetration tester discovers that an Nmap SYN scan against a target host returns no open ports, but a TCP connect scan reveals port 443 open. Which of the following is the most likely reason for this discrepancy?
Stateful firewalls track connections; a SYN scan sends unsolicited SYN packets that may be dropped, while a connect scan completes the handshake and appears as a normal connection.
Why this answer
The discrepancy occurs because a network firewall is performing stateful inspection. It drops unsolicited SYN packets (the first step of a SYN scan) but allows full TCP connections (SYN, SYN-ACK, ACK) to complete, as the connect scan establishes a full three-way handshake. This behavior is typical of stateful firewalls that track connection state and only permit packets belonging to established sessions.
How to eliminate wrong answers
Option A is wrong because a host-based firewall would typically block both SYN packets and full connection attempts consistently, not selectively allow full connections while dropping SYNs. Option C is wrong because ICMP filtering affects host discovery (ping sweeps), not port scan results; Nmap can still perform port scans without ICMP echo replies. Option D is wrong because while SYN scan requires root privileges, running without sudo would cause an error or fallback to connect scan, not produce a discrepancy between two scans—both would fail or both would show open ports.