1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem Nmap IDLE Scan

Discussion in 'Computer Security' started by tamilselvi, May 28, 2014.

  1. tamilselvi

    tamilselvi New Member

    I have been into researching on Port scanning and suing nmap for the purpose.

    Can someone explain why a Zombie is needed to do an IDLE Scan when one can simply probe the Sequence ID of a system and use it for spoofing and scanning the Victim system?

    Idle scan uses a Zombie which is staying connected with the attacker machine. Nmap probes the Zombie for its IP ID and spoofs the IP of the Attacker machine with the Zombie's and does a scan on the specified Victim's port. After probing the victim and getting a 100% data loss which means the victim replied to the Zombie it again probes the Zombie to get its IP ID now with which it decides whether a port is open or not.

    Just for probing the Zombie and doing nothing else with the Zombie why do you want to connect a Zombie to the Attacker machine to do an IDLE SCAN?

    Thanks in Advance.
  2. Monkeychops

    Monkeychops Kilobyte Poster

    Have a good read of the NMAP guide on idle scanning

    TCP Idle Scan (-sI)

    The main reason why you would use a zombie to perform the scan is:

    "Attackers can actually scan a target without sending a single packet to the target from their own IP address!

    Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker."

    Basically so you can scan something without it giving away your IP.

    Also it allows you to perform a scan as if you had the IP address of the zombie machine, the article linked above has some examples as to why you may want to do this.
    Last edited: May 28, 2014
  3. tamilselvi

    tamilselvi New Member

    Thank you very much.

    I have gone through the Link you have mentioned but the thing I wanted to get cleared is whether we need to set up a Zombie for sure and get it connected to our system to do an IDLE scan?

    I'm able to get the results even if I'm using a system that is not a Zombie one.

    What does it mean here?
    The first step in executing an IP ID idle scan is to find an appropriate zombie.
    Last edited: May 29, 2014

Share This Page