During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?
Trap 1: The web server is running on a non-standard port that you did not…
The scan targeted port 80 and got no response, but browsing works; so the server is reachable on port 80 via a different mechanism.
Trap 2: The server's TCP/IP stack is misconfigured and does not respond to…
Misconfiguration would likely affect all TCP connections, not just scans.
Trap 3: A web application firewall is blocking the SYN scan traffic.
WAFs operate at layer 7, not blocking TCP handshake packets.
- A
A stateful firewall is blocking inbound SYN packets to port 80 but allowing responses to outbound connections.
Stateful firewalls track connection states; they may block unsolicited SYN but allow replies.
- B
The web server is running on a non-standard port that you did not scan.
Why wrong: The scan targeted port 80 and got no response, but browsing works; so the server is reachable on port 80 via a different mechanism.
- C
The server's TCP/IP stack is misconfigured and does not respond to SYN scans.
Why wrong: Misconfiguration would likely affect all TCP connections, not just scans.
- D
A web application firewall is blocking the SYN scan traffic.
Why wrong: WAFs operate at layer 7, not blocking TCP handshake packets.