September 12th, 2003, 08:54 AM
Using nmap's Idle Scan
Using nmap's Idle Scan
An -sI How-To
Most of us are in some way or another familiar with this highly-popular tool. Whether we use the native UNIX version, or simply use the Windows port, we all have our uses for it. Some use it for penetration-testing purposes, while others as a means of network exploration. Have a remote idea what I’m referring to? You guesses it, I’m addressing Nmap, from insecure.org. Nmap, as described by its makers, “uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.” The implications of this revolutionary tool are no doubt Internet-wide.
Now, you’re all aware of this already. You’re an nmap aficionado; perhaps you are familiar with its many facets. Several of you have memorized the scan types, and how they work. Lest I bore you, let us cut to the chase. An often overlooked aspect of nmap is the -sI feature, or Idle Scan. “Idlescan, as it has become known, allows for completely blind port scanning,” reports insecure’s site. How is this so?
Nearly every web server today listens on several ports, especially port 80 and maybe even port 25. Many of us are aware of the “three-way handshake” process, in which a SYN (session establishment) packet is sent to the port, with a SYN|ACK (session request acknowledgment) packet returning if the port is open, and finally a RST packet if the port is closed.
“Every IP packet on the Internet has a ‘fragment identification’ number. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe.” (http://www.insecure.org/nmap/idlescan.html)
With all this in mind, it is possible to scan remotely, without sending a single packet to the “victim”!
STEP 1: Locate a “zombie” with a predictable IPID number (nmap will generally display this information when conducting a normal scan)
STEP 2: Employing raw socket technology, nmap is able to spoof the packet from the zombie to the host (remember, the IPID number of the zombie has to be incremental or otherwise “guessable” in order to use)
STEP 3: nmap will once again conduct a simple scan of the zombie’s IPID number, deducting the open, closed, and filtered ports of the host simply by observing the IPID number of the zombie!
After you have located an appropriate zombie, using Idle Scan is a snap.
# nmap -P0 -p- -sI [zombie IP] [Host IP]
….and nmap will do the rest! It is wise to use the no ping option, as absolutely ZERO packets will have reached the host from your computer. Isn’t that amazing?
Now, correct me if I’m wrong, but Idle-scanning is largely in its infant stages. More advanced tools will be used to “exploit” this issue, as no OS vendors seem to want to confront the challenge. Will this have more far-reaching effects? It is up to the community to decide.
TUTORIAL BASED ON INSECURE’S PREVIOUS ARTICLE FOUND AT http://www.insecure.org/nmap/idlescan.html
Thanks for reading my 2ND tutorial. Questions, comments? Please call (800)-424...j/k. pm me if you have anything to say. Thanks again,
It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.
September 12th, 2003, 09:04 AM
Just want to add that I've installed the GUI interface to nmap (nmapfe) and looks great and regarding the windoze version it has also one though for an older version of nmap but with "idle scan" option too and a good html compiled help for the users as well with instructions on how to install NmapServ for regular scans of the network.
I didnt know either of the idle scan meaning till Ive read this article, thanks.
September 12th, 2003, 09:37 AM
Great tutorial , FreeBSD has a kernel option RANDOM_IP_ID that prevents someone from using you as the middle man in an idle scan but i don't know if any other *nixes do.