In CEH v13 Network Scanning, a SYN scan—also known as a half-open scan—is one of the most common and reliable techniques used to identify open TCP ports. This method involves sending a TCP SYN packet to a target port and analyzing the response without completing the full three-way handshake.
When a scanner sends a SYN packet:
SYN/ACK response → The port is OPEN
RST response → The port is CLOSED
No response or ICMP unreachable → The port is FILTERED
In this scenario, the receipt of a SYN/ACK packet clearly indicates that the target system is willing to establish a TCP connection on that port. The scanner typically responds with a RST packet instead of an ACK to avoid completing the connection, thereby remaining stealthy.
Option B is therefore correct and aligns exactly with CEH v13 definitions.
Option A is incorrect because unreachable hosts do not respond with SYN/ACK.
Option C is incorrect because filtered ports usually do not respond or return ICMP errors.
Option D is incorrect because closed ports respond with RST, not SYN/ACK.
CEH v13 emphasizes SYN scanning as a preferred method due to its balance of accuracy and reduced logging. Understanding TCP flag behavior is fundamental for interpreting scan results correctly.
