A penetration tester is conducting a network assessment and needs to identify all running services on a host. Which scanning technique provides the most reliable results with the least network traffic?

Correct answer: SYN scan (-sS)

Option B is correct because a SYN scan (half-open scan) sends a SYN packet and waits for a SYN-ACK response to identify open ports or an RST to identify closed ports, then sends an RST to avoid completing the three-way handshake, resulting in far less traffic than a full connect scan and fewer log entries than more aggressive scans. It is widely regarded as the most reliable and stealthy TCP scanning technique for identifying running services. Option A is wrong because a UDP scan generates higher total scan times and traffic due to the lack of a guaranteed response mechanism; UDP ports do not respond to probes when open, requiring timeouts that slow the scan and increase uncertainty in results. Option C is wrong because an aggressive scan combines OS detection, version detection, script scanning, and traceroute, which generates significantly more traffic and takes considerably longer than a SYN scan, making it inappropriate when minimizing network traffic is a priority. Option D is wrong because an ACK scan does not identify open ports; it is used to map firewall rules and determine whether ports are filtered or unfiltered, not to discover running services.