Nmap Zombie/Idle Scans.

Printable View

March 15th, 2005, 01:48 AM
Irongeek

Nmap Zombie/Idle Scans.

I was reading “Open Source Security Tools : Practical Guide to Security Applications, A (Bruce Perens Open Source)” [0](good book by the way) and found out something you could do with Nmap that I did not know about. It looks like you can use a system that has a sequential IPID scheme (and don’t get much traffic) as a zombie to hide who is doing the port scan. Nmap forges packets pretending to be the zombie and then talks to the zombie to see what IPID it’s on. In doing this it can sometimes tell what ports are open on the target. Details can be found at:

http://www.insecure.org/nmap/idlescan.html

Apparently it’s a good way for a attacker to hide themselves and possibly get around weakly configured fire walls. Anybody else ever play with it?

[0] http://www.amazon.com/exec/obidos/AS...773848-8307164
March 15th, 2005, 04:16 AM
br_fusion

I bet the horse13 knows a thing or two.

As for me, Ive played it with. It works well for most windows machines. However Ive tried running a few idlescans on two of my local linux machines, and they failed due to not being able to predict the IP Id's, if I remember right.

But great scan method nonetheless.
March 15th, 2005, 04:18 AM
Irongeek

I used a jetdirect box to bounce off of, very slow though.
March 15th, 2005, 12:05 PM
thehorse13

Yep. In fact, I wrote a tutorial on how to use the idle scan feature. One thing to be careful of, it is *not* fool proof. Some IDS devices will see this a mile away. Take a peek in the security tuts section, it's either NMAP scans part 4 or 5. I forget which tut I put it in.

--TH13
March 15th, 2005, 02:57 PM
nebulus200

I got to play around with that for a little while and it is quite effective IFF the box is a 'quiet' box, ie, not alot of traffic. What you are basically relying on is that nobody else would be doing alot of talking to mess up the IPID. We messed around with it in the Skoudis shortcourse at SANS (was there a day early and bored), was pretty interesting to see how well it worked when the system was idle and how unpredictable it was when too many were doing it (ie, all the students hitting the box at the same time).

Anyway, what I liked about it is you weren't directly port mapping something and so there were other applications to it :)
March 16th, 2005, 01:46 PM
slarty

Bear in mind that an IDS will not be able to distinguish and idle scan from a normal scan (unless the Zombie is inside its network).

Because the scan appears to be coming from a host which is not the attacker's, it is not generally possible to determine where they are.

The upside is, nobody can do anything except tcp scan via an IDLE scan. Other attacks simply can't use a zombie in this fashion.

Personally I think that hackers won't bother using IDLE scans because
- They don't care if their IP address is revealed when SYN scanning, nobody takes any notice of scans anyway (unless they cause them DoS)
- Idle scans are way too slow / complicated for your typical SK

I restate this, NO network admin, EVER takes any notice of scan logs unless some other attacks come from the same IPs.

Slarty