As is it has become quite obvious, nmap is one for my favourite tools and I'm trying to learn as much about it is possible.
While reading through the nmap documentation I came across the technique known as idle scanning.
Idle scanning allows you to scan a target without sending any traffic to it. This is done by using what's called a zombie host to bounce your traffic off of so that the traffic appears to come from the zombie host and not you. The way it works is very clever and this page on the nmap site explains how it works in detail.
The main issue with a performing idle scans is to find a zombie host that is completely stagnant and increments it's IPID in the way that nmap requires for idle scans to work. The following command utilizing one of nmap's scripting engine scripts will discover if a host supports the IPID feature in the way that nmap can use it for idle scanning; nmap --script=ipidseq -v <host>. If the Host script results returns all zeros, then the host cannot be used for idle scanning, if it returns incremental, it can be.
I set out to test idle scanning on my test network. I tried using a Debian Linux VM as a zombie host but found that it's IPID sequence was all zeros. I tried a Windows Server 2008 R2 VM with success.
Here are the results:
1) The IP address of the attacking machine:
2) The IP address of the zombie host:
3) The IP address of the target host:
4) The scan being run and the results:
In order for the scan to work there needs to be a non-firewalled port on the zombie host that both the attacking and target host can connect. The -Pn option is used to prevent a ping scan so that no ICMP traffic is sent to the target. If ICMP traffic is sent it would reveal your IP address.
5) A Wireshark capture from the target host showing that the traffic is coming from the zombie host:
As you can see, idle scanning is a very useful technique. It's main caveats are that it cannot really differentiate between closed a filtered ports, it can take significantly longer than a normal scan and it may be difficult to find a idle host to use as a zombie host.
While reading through the nmap documentation I came across the technique known as idle scanning.
Idle scanning allows you to scan a target without sending any traffic to it. This is done by using what's called a zombie host to bounce your traffic off of so that the traffic appears to come from the zombie host and not you. The way it works is very clever and this page on the nmap site explains how it works in detail.
The main issue with a performing idle scans is to find a zombie host that is completely stagnant and increments it's IPID in the way that nmap requires for idle scans to work. The following command utilizing one of nmap's scripting engine scripts will discover if a host supports the IPID feature in the way that nmap can use it for idle scanning; nmap --script=ipidseq -v <host>. If the Host script results returns all zeros, then the host cannot be used for idle scanning, if it returns incremental, it can be.
I set out to test idle scanning on my test network. I tried using a Debian Linux VM as a zombie host but found that it's IPID sequence was all zeros. I tried a Windows Server 2008 R2 VM with success.
Here are the results:
1) The IP address of the attacking machine:
2) The IP address of the zombie host:
3) The IP address of the target host:
4) The scan being run and the results:
In order for the scan to work there needs to be a non-firewalled port on the zombie host that both the attacking and target host can connect. The -Pn option is used to prevent a ping scan so that no ICMP traffic is sent to the target. If ICMP traffic is sent it would reveal your IP address.
5) A Wireshark capture from the target host showing that the traffic is coming from the zombie host:
As you can see, idle scanning is a very useful technique. It's main caveats are that it cannot really differentiate between closed a filtered ports, it can take significantly longer than a normal scan and it may be difficult to find a idle host to use as a zombie host.