I was reading “Open Source Security Tools : Practical Guide to Security Applications, A (Bruce Perens Open Source)” [0](good book by the way) and found out something you could do with Nmap that I did not know about. It looks like you can use a system that has a sequential IPID scheme (and don’t get much traffic) as a zombie to hide who is doing the port scan. Nmap forges packets pretending to be the zombie and then talks to the zombie to see what IPID it’s on. In doing this it can sometimes tell what ports are open on the target. Details can be found at:

http://www.insecure.org/nmap/idlescan.html

Apparently it’s a good way for a attacker to hide themselves and possibly get around weakly configured fire walls. Anybody else ever play with it?


[0] http://www.amazon.com/exec/obidos/AS...773848-8307164