March 15th, 2005, 12:48 AM
Nmap Zombie/Idle Scans.
I was reading ďOpen Source Security Tools : Practical Guide to Security Applications, A (Bruce Perens Open Source)Ē (good book by the way) and found out something you could do with Nmap that I did not know about. It looks like you can use a system that has a sequential IPID scheme (and donít get much traffic) as a zombie to hide who is doing the port scan. Nmap forges packets pretending to be the zombie and then talks to the zombie to see what IPID itís on. In doing this it can sometimes tell what ports are open on the target. Details can be found at:
Apparently itís a good way for a attacker to hide themselves and possibly get around weakly configured fire walls. Anybody else ever play with it?
March 15th, 2005, 03:16 AM
I bet the horse13 knows a thing or two.
As for me, Ive played it with. It works well for most windows machines. However Ive tried running a few idlescans on two of my local linux machines, and they failed due to not being able to predict the IP Id's, if I remember right.
But great scan method nonetheless.
The command completed successfully.
\"They drew first blood not me.\"
March 15th, 2005, 03:18 AM
I used a jetdirect box to bounce off of, very slow though.
March 15th, 2005, 11:05 AM
Yep. In fact, I wrote a tutorial on how to use the idle scan feature. One thing to be careful of, it is *not* fool proof. Some IDS devices will see this a mile away. Take a peek in the security tuts section, it's either NMAP scans part 4 or 5. I forget which tut I put it in.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 15th, 2005, 01:57 PM
I got to play around with that for a little while and it is quite effective IFF the box is a 'quiet' box, ie, not alot of traffic. What you are basically relying on is that nobody else would be doing alot of talking to mess up the IPID. We messed around with it in the Skoudis shortcourse at SANS (was there a day early and bored), was pretty interesting to see how well it worked when the system was idle and how unpredictable it was when too many were doing it (ie, all the students hitting the box at the same time).
Anyway, what I liked about it is you weren't directly port mapping something and so there were other applications to it
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
March 16th, 2005, 12:46 PM
Bear in mind that an IDS will not be able to distinguish and idle scan from a normal scan (unless the Zombie is inside its network).
Because the scan appears to be coming from a host which is not the attacker's, it is not generally possible to determine where they are.
The upside is, nobody can do anything except tcp scan via an IDLE scan. Other attacks simply can't use a zombie in this fashion.
Personally I think that hackers won't bother using IDLE scans because
- They don't care if their IP address is revealed when SYN scanning, nobody takes any notice of scans anyway (unless they cause them DoS)
- Idle scans are way too slow / complicated for your typical SK
I restate this, NO network admin, EVER takes any notice of scan logs unless some other attacks come from the same IPs.