Idle scan

From Wikipedia, the free encyclopedia

This article or section contains too much jargon and may need simplification or further explanation. Please discuss this issue on the talk page, and/or remove or explain jargon terms used in the article. Editing help is available. This article has been tagged since December 2007.

The idle scan is a TCP port scan method that through utility software tools such as Nmap and Hping allow sending spoofed packets to a computer. This sophisticated exploit is dual-hatted as a port scanner and maps out trusted IP relationships between machines. The attack involves sending forged packets to a specific machine -target- in an effort to find distinct characteristics in another -zombie- machine. Discovered by Salvatore Sanfilippo (also known by his handle "Antirez") in 1998[1], the idle scan has been used by many Black Hat "hackers" to covertly identify open ports on a target computer in preparation for attacking it. Although it was originally named 'dumb scan', the term 'idle scan' was coined in 1999, after the publication of a proof of concept 16-bit identification field (IPID) scanner named "idlescan", by Filipe Almeida (aka LiquidK). This type of scan can also be referenced as 'zombie scan'; all the nomenclatures are due to the nature of one of the computers involved in the attack.

Contents 1 Basic mechanics 2 Nmap method 3 Effectiveness 4 External links

[edit] Basic mechanics

The idle scan takes advantage of the 'predictable IPID flaw'. An attacker would first scan for a host with a sequential and predictable IPID. The latest versions of Linux, Solaris, and OpenBSD are not suitable targets, since the IPID has been implemented with patches[2]. Computers chosen to be used in this stage are sometimes known as "zombies". Once a suitable zombie is found the next step would be to send a SYN packet to the target computer, spoofing the IP address from the zombie. If the port of the target computer is open it will respond with a SYN/ACK packet back to the zombie. The zombie computer will then send a RST packet to the target computer because it did not actually send the SYN packet in the first place. Since the zombie had to send the RST packet it will increment its IPID. This is how an attacker would find out if the targets port is open. If the IPID is not incremented then the attacker would know that the particular port is closed.

The first stage of an idle scan

The second stage of an idle scan

[edit] Nmap method

The first thing the user would do is to find a suitable zombie on the LAN:

nmap -sP 192.168.1.0/24

This tells Nmap to do a ping sweep and show all hosts that are up in the given IP range. Once you have found a zombie, next you would send the spoofed packets:

nmap -P0 -p <port> -sI <zombie IP> <target IP>

The images juxtaposition show both of these stages in a successful scenario.

[edit] Effectiveness

Although many Operating Systems are now immune from being used in this attack, Some popular systems are still vulnerable [3] ; making the idle scan still very effective. Once a successful scan is completed there is no trace of the attackers IP address on the target's firewall or Intrusion-detection system log. Another useful possibility is the chance of by-passing a firewall because you are scanning the target from the zombies computer[4], which might have extra rights than the attacker's.

[edit] External links

• Insecure.org/nmap/idlescan - An in-depth article on idle scanning
• Insecure.org - Official site of Nmap
• Hping.org - Official site of Hping
• Nmap-Online.com - An online Nmap scanner
• Techtarget.com - An article on idle scanning
• Seclists.org - Original bugtraq post