- 1998…Security researcher Antirez (who also wrote hping2) posted to the Bugtraq mailing list
- One way to determine whether a TCP port is open is to send a SYN packet to the port. The target machine will respond with a SYN/ACK packet if the port is open, and RST if the port is closed.
- A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored.
- Every IP packet on the Internet has a fragment identification number (IPID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.
- Three cases ‘open’, ‘closed’, and ‘filtered’ port
- The actors:
- - The Attacker
- - The Zombie
- - The Target
Case 1: Open Port
Case 2: Closed Port
Case 3: Filtered Port
Nmap Idle Scans (-sI)
- Find a suitable Zombie
- - We didn't just choose a printer icon to represent a zombie in our illustrations to be funny—simple network devices often make great zombies because they are commonly both underused (idle) and built with simple network stacks which are vulnerable to IPID traffic detection.
- Execute the scan
- - Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest.
No comments:
Post a Comment