Idle scan

Idle scan

The idle scan is a TCP port scan method that through utility software tools such as Nmap and Hping allow sending spoofed packets to a computer. This sophisticated exploit is dual-hatted as a port scanner and maps out trusted IP relationships between machines. The attack involves sending forged packets to a specific machine -target- in an effort to find distinct characteristics in another -zombie- machine. Discovered by Salvatore Sanfilippo (also known by his handle "Antirez") in 1998 [http://seclists.org/bugtraq/1998/Dec/0079.html] , the idle scan has been used by many Black Hat "hackers" to covertly identify open ports on a target computer in preparation for attacking it. Although it was originally named 'dumb scan', the term 'idle scan' was coined in 1999, after the publication of a proof of concept 16-bit identification field (IPID) scanner named "idlescan", by Filipe Almeida (aka LiquidK). This type of scan can also be referenced as 'zombie scan'; all the nomenclatures are due to the nature of one of the computers involved in the attack.

Basic mechanics

The idle scan takes advantage of the 'predictable IPID flaw'. An attacker would first scan for a host with a sequential and predictable IPID. The latest versions of Linux, Solaris, and OpenBSD are not suitable targets, since the IPID has been implemented with patches [http://seclists.org/bugtraq/1999/Oct/0263.html] . Computers chosen to be used in this stage are sometimes known as "zombies". Once a suitable zombie is found the next step would be to send a SYN packet to the target computer, spoofing the IP address from the zombie. If the port of the target computer is open it will respond with a SYN/ACK packet back to the zombie. The zombie computer will then send a RST packet to the target computer because it did not actually send the SYN packet in the first place. Since the zombie had to send the RST packet it will increment its IPID. This is how an attacker would find out if the targets port is open. If the IPID is not incremented then the attacker would know that the particular port is closed.

Nmap method

The first thing the user would do is to find a suitable zombie on the LAN:

nmap -sP 192.168.1.0/24

This tells Nmap to do a ping sweep and show all hosts that are up in the given IP range. Once you have found a zombie, next you would send the spoofed packets:

nmap -P0 -p -sI

The images juxtaposition show both of these stages in a successful scenario.

Effectiveness

Although many Operating Systems are now immune from being used in this attack, Some popular systems are still vulnerable [http://joeljose.pbwiki.com/BAIS(Born%20Again%20Idle%20Scan)] ; making the idle scan still very effective. Once a successful scan is completed there is no trace of the attackers IP address on the target's firewall or Intrusion-detection system log. Another useful possibility is the chance of by-passing a firewall because you are scanning the target from the zombies computer [http://insecure.org/nmap/man/man-port-scanning-techniques.html] , which might have extra rights than the attacker's.

External links

* [http://insecure.org/nmap/idlescan.html Insecure.org/nmap/idlescan] - An in-depth article on idle scanning
* [http://insecure.org/ Insecure.org] - Official site of Nmap
* [http://hping.org/ Hping.org] - Official site of Hping
* [http://nmap-online.com/ Nmap-Online.com] - An online Nmap scanner
* [http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1195745,00.html Techtarget.com] - An article on idle scanning
* [http://seclists.org/bugtraq/1998/Dec/0079.html Seclists.org] - Original bugtraq post


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Idle scan — Un idle scan est une méthode de balayage de port TCP qui, grâce à des utilitaires tels que Nmap et Hping, utilise l envoi de paquets possédant une adresse IP usurpée. Cet exploit complexe permet à la fois de balayer les ports d une machine ainsi… …   Wikipédia en Français

  • System Idle Process — Бездействие системы (System Idle Process) процесс ядра операционной системы семейства Windows, представляющий собой отдельный поток (или несколько потоков на многоядерных системах), работающий тогда, когда процессор не выполняет других потоков.… …   Википедия

  • Port-Scanning — Ein Portscanner ist eine Software, mit der überprüft werden kann, welche Dienste ein mit TCP/IP oder UDP arbeitendes System anbietet. Der Portscanner nimmt dem Anwender dabei die Arbeit ab, das Antwortverhalten eines Systems selbst mit einem… …   Deutsch Wikipedia

  • Port scanning — Ein Portscanner ist eine Software, mit der überprüft werden kann, welche Dienste ein mit TCP/IP oder UDP arbeitendes System anbietet. Der Portscanner nimmt dem Anwender dabei die Arbeit ab, das Antwortverhalten eines Systems selbst mit einem… …   Deutsch Wikipedia

  • Portscan — Ein Portscanner ist eine Software, mit der überprüft werden kann, welche Dienste ein mit TCP/IP oder UDP arbeitendes System anbietet. Der Portscanner nimmt dem Anwender dabei die Arbeit ab, das Antwortverhalten eines Systems selbst mit einem… …   Deutsch Wikipedia

  • Portscanner — Ein Portscanner ist eine Software, mit der überprüft werden kann, welche Dienste ein mit TCP oder UDP arbeitendes System über das Internetprotokoll anbietet. Der Portscanner nimmt dem Anwender dabei die Arbeit ab, das Antwortverhalten eines… …   Deutsch Wikipedia

  • Portscanning — Ein Portscanner ist eine Software, mit der überprüft werden kann, welche Dienste ein mit TCP/IP oder UDP arbeitendes System anbietet. Der Portscanner nimmt dem Anwender dabei die Arbeit ab, das Antwortverhalten eines Systems selbst mit einem… …   Deutsch Wikipedia

  • Port scanner — A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by crackers to compromise it.To portscan a host is to scan for listening… …   Wikipedia

  • Nmap — Nmap …   Wikipédia en Français

  • Hping — Infobox Software name = hping caption = developer = Salvatore Sanfilippo (Antirez) latest release version = hping3 20051105 latest release date = November 5, 2005 platform = CLI operating system = Cross platform genre = Computer security license …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”