Idle Scans with Nmap

Explore how to perform idle scans with Nmap to conduct covert TCP port scanning by utilizing a zombie host for relaying packets. Understand the technique's mechanics, requirements, and practical use cases for stealthy network reconnaissance, trust mapping, and bypassing intrusion detection systems. This lesson helps you grasp the complexities of TCP/IP exploitation for almost undetectable scanning while emphasizing ethical use.

We'll cover the following...

How do idle scans work?
- Requirements for a idle host
Running an idle scan
- Use cases for idle scans

An idle scan, denoted as -sI in Nmap’s syntax, is an advanced and covert method for performing TCP port scans on a target system. This technique is unique because it allows for a blind port scan, where no packets are sent directly to the target from the attacker’s real IP address. Instead, it utilizes a zombie host to relay the scan, making the activity nearly undetectable and extremely stealthy.

How do idle scans work?

Idle scans work by exploiting a side channel in the TCP/IP protocol. It leverages the predictable nature of IP fragmentation ID sequence generation in the zombie host. The attacker sends crafted packets to the target system but with the source address spoofed to that of the ...

1.Introduction

2.Basics of Port Scanning

3.Getting Started with Nmap

4.Nmap: Useful Flags

5.Scanning in Depth

6.Operating System Detection and Aggressive Scanning

7.Stealth Scanning with Nmap

8.Advanced Scans

9.Spoofs, Decoys, and Zombies

10.Nmap Scripting Engine

11.Vulnerability Analysis and Reporting

Mini Project

12.Conclusion

13.Appendix

Idle Scans with Nmap

How do idle scans work?