Scribd Logo
Upload

Welcome to Scribd!

  • 7.idle Host Scan

    Uploaded by

    tdyrdy
    28 views16 pages
    The document describes an idle host scanning technique where an attacker scans a target victim machine in a way that frames an idle zombie machine. The attacker monitors the zombie's IP ID numbers when sending it ping requests to determine if ports on the victim are open or closed without generating traffic directly to the victim. If the zombie's IP ID increases by 1, the port is closed; if it increases by 2, the port is open. This allows the attacker to stealthily scan the victim without interacting with it directly.

    Original Description:

    Original Title

    7.idle-host-scan

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes an idle host scanning technique where an attacker scans a target victim machine in a way that frames an idle zombie machine. The attacker monitors the zombie's IP ID numbers when sending it ping requests to determine if ports on the victim are open or closed without generating traffic directly to the victim. If the zombie's IP ID increases by 1, the port is closed; if it increases by 2, the port is open. This allows the attacker to stealthily scan the victim without interacting with it directly.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views16 pages

    7.idle Host Scan

    Uploaded by

    tdyrdy
    The document describes an idle host scanning technique where an attacker scans a target victim machine in a way that frames an idle zombie machine. The attacker monitors the zombie's IP ID numbers when sending it ping requests to determine if ports on the victim are open or closed without generating traffic directly to the victim. If the zombie's IP ID increases by 1, the port is closed; if it increases by 2, the port is open. This allows the attacker to stealthily scan the victim without interacting with it directly.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    Idle Host Scan

    1
    Vincent Ryan
    Players

    Zombie

    Attacker Victim

    2
    Vincent Ryan
    Summary

    The attacker scans the victim in such a way that the
    ZOMBIE gets blamed.

    This ZOMBIE machine needs to be idle.

    The attacker sends PING packets to the ZOMBIE to
    monitor its IP ID numbers. It is through the
    monitoring of these numbers that the attacker will
    know if the target port on the VICTIM machine is
    open or closed.

    To start the attack, the attacker spoofs the
    ZOMBIES's address and sends a SYN packet to the
    port being scanned on the victim.
    3
    Vincent Ryan
    IP Identification Field


    IP ID : for each IP packet sent, an operating system must ensure that
    it has a unique IP ID value.
    – Many O.S.'s (e.g. Windows) achieve this by simply adding
    1 to the IP ID field
    4
    Vincent Ryan
    TCP SYN

    5
    Vincent Ryan
    TCP Scan for open port
    Open Port: SYN

    SYN/ACK

    ACK

    Closed Port:

    SYN

    RST/ACK

    6
    Vincent Ryan
    Zombie Host


    The attacker chooses a host to get blamed. We will call this host
    the ZOMBIE. This host should have 2 characteristics:
    – it should have a predictable IP ID field
    – it should be fairly idle, not sending out too many
    packets (hence the name idle scan)

    7
    Vincent Ryan
    Steps Involved (1)


    Then the attacker launches an idle scan as follows:
    1. send a PING (ECHO REQUEST) packet to ZOMBIE
    2. receive a ECHO REPLY response from ZOMBIE with a
    value in the IP ID field, which we will call X.
    3. maybe repeat the above a few times, to ensure that the IP
    ID value is changing in a predictable way.

    Note: In step 1
    above, you can use
    any packet that will
    illicit an IP response
    8
    Vincent Ryan
    Steps Involved (2)
    4) Attacker sends a SYN to the port being scanned on the victim,
    with a source IP address of ZOMBIE
    5) If the port is open, the victim sends a SYN-ACK to ZOMBIE. If
    the port is closed, the victim sends a RST-ACK (or nothing) to
    ZOMBIE.
    6) If ZOMBIE gets a SYN-ACK out of the blue from the victim, it
    sends a RST to the victim (with IP ID value of X+1). If it gets
    a RST out of the blue, it sends nothing.

    9
    Vincent Ryan
    Steps Involved (3)

    Now the attacker will sample the ZOMBIE's IP ID value as
    follows:
    7. attacker sends a PING to ZOMBIE
    8. attacker receives a ECHO-REPLY back from ZOMBIE.

    What is the value of the IP ID in that ECHO-REPLY?


    – If it is X+1, the port on the victim is closed
    – If it is X+2, the port on the victim is open

    10
    Vincent Ryan
    OPEN port scenario summary

    1) Attacker sends PING to ZOMBIE


    2) ZOMBIE replies – attacker records the IP ID value, which is X
    3) Attacker repeats above 2 steps a number of times
    4) Attacker sends spoofed SYN packet from ZOMBIE to VICTIM
    with a destination port that (s)he wants to scan
    5) Since the port is open, the VICTIM sends a SYN-ACK to the
    ZOMBIE
    6) The ZOMBIE wasn't expecting the SYN-ACK packet so it sends
    a RST to the VICTIM. This IP ID value in this packet is X+1
    7) Attacker sends PING to ZOMBIE
    8) ZOMBIE replies – attacker notices the IP ID value in the reply is
    X+2
    11
    Vincent Ryan
    CLOSED port scenario summary

    With a closed port the VICTIM will not respond with a SYN-ACK. It
    will send a RST which will NOT cause the ZOMBIE to send a RST.
    1) Attacker sends PING to ZOMBIE
    2) ZOMBIE replies – attacker records the IP ID value, which is X
    3) Attacker repeats above 2 steps a number of times
    4) Attacker sends spoofed SYN packet from ZOMBIE to VICTIM
    with a destination port that (s)he wants to scan
    5) Since the port is closed, the VICTIM sends a RST to the ZOMBIE
    6) The ZOMBIE receives the RST and takes no action
    7) Attacker sends PING to ZOMBIE
    8) ZOMBIE replies – attacker notices the IP ID value in the reply is
    X+1 12
    Vincent Ryan
    Wrong result?

    What if ZOMBIE is not truly idle?
    – Suppose the port is closed, and the ZOMBIE dribbles out a
    packet between steps 3 and 7
    – Then the attacker will label a port as open which is actually
    closed.

    Thus, if the idle scan says the port is open, the attacker should
    scan the port a number of times to confirm.

    13
    Vincent Ryan
    What OS to target?

    “Windows boxes, older Linux hosts, FreeBSD, and Mac OS
    boxes generally work fine as Zombie machines. However,
    the latest versions of Linux, Solaris, and OpenBSD are
    immune as zombies”


    Note that the idle scan is not possible in IPv6, as the IPv6
    header does not have a IP ID field

    Source:https://nmap.org/presentations/CanSecWest03/CD_Content/idlescan_paper/idlescan.html
    14
    Vincent Ryan
    Idle Host Scanning using hping (1)

    hping3 -S 10.1.1.2 -a 10.1.1.1 -p 21 -c 1


    10.1.1.2 is our victim machine

    10.1.1.1 is the machine that gets framed (zombie)

    -a is used to spoof an IP address
    It sets a fake IP source address. Note, however, that
    replies will be sent to spoofed address.

    -p is used to specify destination port

    21 Tells hping to send the SYN packet to port 21
    15
    Vincent Ryan
    Idle Host Scanning using hping (2)

    hping3 -1 10.1.1.1 -c 1


    10.1.1.1 is the machine that gets framed

    By sending ICMP packets to this machine we will get back
    TTL's and, more importantly of course, the IP ID numbers.

    16
    Vincent Ryan

    You might also like