What does the TCP ACK scan (-sA) aim to determine?

The TCP ACK scan, indicated by the -sA option in scanning tools like Nmap, is specifically designed to determine which ports are filtered and whether a firewall is stateful. This type of scan sends TCP ACK packets to a range of ports on a target host and analyzes the responses to assess the status of those ports.

When a port is unfiltered, the target will typically respond with a RST (reset) packet, indicating that the connection is being denied rather than indicating that it is open. If the port is filtered, the target might not respond at all, or it may send an ICMP unreachable message, depending on the configuration of the firewall or filtering device. By observing these responses, the scan can infer the state of the firewall—whether it is stateful, which is capable of tracking active connections and determining how to handle packets, or stateless, which does not have that capability.

This method is focused solely on the network and firewall architecture, which is essential in penetration testing to discover how defenses are configured and what potential vulnerabilities exist due to their placement and operation. The other choices—network bandwidth availability, strength of encryption protocols, and the number of active devices—are outside the scope of what the TCP ACK scan is intended