- Idle scan
The idle scan is a TCP port scan method that through utility software tools such as
Nmap andHping allow sending spoofed packets to a computer. This sophisticated exploit is dual-hatted as a port scanner and maps out trusted IP relationships between machines. The attack involves sending forged packets to a specific machine -target- in an effort to find distinct characteristics in another -zombie- machine. Discovered by Salvatore Sanfilippo (also known by his handle "Antirez") in 1998 [http://seclists.org/bugtraq/1998/Dec/0079.html] , the idle scan has been used by manyBlack Hat "hackers" to covertly identify open ports on a target computer in preparation for attacking it. Although it was originally named 'dumb scan', the term 'idle scan' was coined in 1999, after the publication of a proof of concept 16-bit identification field (IPID) scanner named "idlescan", by Filipe Almeida (aka LiquidK). This type of scan can also be referenced as 'zombie scan'; all the nomenclatures are due to the nature of one of the computers involved in the attack.Basic mechanics
The idle scan takes advantage of the 'predictable
IPID flaw'. An attacker would first scan for a host with a sequential and predictable IPID. The latest versions ofLinux , Solaris, andOpenBSD are not suitable targets, since the IPID has been implemented with patches [http://seclists.org/bugtraq/1999/Oct/0263.html] . Computers chosen to be used in this stage are sometimes known as "zombies". Once a suitable zombie is found the next step would be to send a SYN packet to the target computer, spoofing the IP address from the zombie. If the port of the target computer is open it will respond with a SYN/ACK packet back to the zombie. The zombie computer will then send a RST packet to the target computer because it did not actually send the SYN packet in the first place. Since the zombie had to send the RST packet it will increment its IPID. This is how an attacker would find out if the targets port is open. If the IPID is not incremented then the attacker would know that the particular port is closed.Nmap method
The first thing the user would do is to find a suitable zombie on the
LAN :nmap -sP 192.168.1.0/24This tells
Nmap to do aping sweep and show all hosts that are up in the given IP range. Once you have found a zombie, next you would send the spoofed packets:nmap -P0 -p-sI The images juxtaposition show both of these stages in a successful scenario.
Effectiveness
Although many Operating Systems are now immune from being used in this attack, Some popular systems are still vulnerable [http://joeljose.pbwiki.com/BAIS(Born%20Again%20Idle%20Scan)] ; making the idle scan still very effective. Once a successful scan is completed there is no trace of the attackers IP address on the target's
firewall orIntrusion-detection system log. Another useful possibility is the chance of by-passing a firewall because you are scanning the target from the zombies computer [http://insecure.org/nmap/man/man-port-scanning-techniques.html] , which might have extra rights than the attacker's.External links
* [http://insecure.org/nmap/idlescan.html Insecure.org/nmap/idlescan] - An in-depth article on idle scanning
* [http://insecure.org/ Insecure.org] - Official site of Nmap
* [http://hping.org/ Hping.org] - Official site of Hping
* [http://nmap-online.com/ Nmap-Online.com] - An online Nmap scanner
* [http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1195745,00.html Techtarget.com] - An article on idle scanning
* [http://seclists.org/bugtraq/1998/Dec/0079.html Seclists.org] - Original bugtraq post
Wikimedia Foundation. 2010.
