Idle scanning is an advanced, highly stealthed technique, where no packets aresent to the target which can be identified to originate from the scanning machine.A zombie host (and optionally port) must be specified for this scan type. Thezombie host must satisfy certain criteria essential to the workings of this scan.This scan type works by exploiting ”predictable IP fragmentation ID” sequencegeneration on the zombie host, to determine open ports on the target.
The scan checks the IPID on the zombie, then spoofs a connection request to thetarget machine, making it appear to come from the zombie. If the target port isopen, a SYN/ACK session acknowledgement will be sent from the target machineback to the zombie, which will RST the connection since it has no record of havingopened such a connection. If the port on the target is closed, an RST will besent to the zombie, and no further packets will be sent. The attacker then checksthe IPID on the zombie again. If it has incremented by 2 (or changed by twosteps in its sequence), this corresponds to the packet received from the target,plus the RST from the zombie, which equates to an open port on the target. Ifthe IPID has changed by one step, an RST was received from the target and nofurther packets were sent.Using this mechanism, it is possible to scan every port on a target, whilstmaking it appear that the zombie was the one doing the scanning. Of course,the spoofed connection attempts will likely be logged, so the target system willhave the zombie IP address, and the zombie system’s logs are likely to containthe attacker’s IP address, so it is still possible, after acquiring logs through legalchannels, to determine the attacker, but this method makes it much more difficultto do so than if the packets were sent directly from the attacker. In addition,some IDS and firewall software makes attempts to detect spoofed packets basedon the network they arrive from. As long as the zombie host and the attackerare both ”out on the Internet”, or on the same network as each other, relative tothe target, techniques to identify spoofed packets are not likely to succeed.9This scan type requires certain things of the zombie. The IPID sequencegeneration must be predictable (single-step increments, for example). The hostmust also have low traffic so that it is unlikely for other packets to hit the zombiewhilst Nmap is carrying out its scan (as these will artificially inflate the IPIDnumber!). Cheap routers or MS Windows boxes make good zombie hosts. Mostoperating systems use randomised sequence numbers (see the OS Fingerprintingsection for details on how to check a target’s sequence generation type).The idle scan can also be used to determine IP trust based relationshipsbetween hosts (e.g. a firewall may allow a certain host to connect to port x, butnot other hosts). This scan type can help to determine which hosts have accessto such a system.For more information about this scan type, read http://www.insecure.org/nmap/idlescan.html
Comments :
Post a Comment