This is the thirteenth post detailing my notes on Nmap Network Scanning.
This fairly lengthy section on the Idle Scan can be read in full here.
This is the stealthiest of all scans as is achieved without sending a single packet to the target from the attacking machine. The idea is to completely hide the attacking IP address through bouncing the scan of an “zombie host”. This method can also establish IP trust relationships and defeat some firewalls.
The first stage of this scan is to identify an appropriate zombie (simple network device) and confirm that it is idle through the assignment of fragment identification numbers (IP ID) located in the IP packet. Ideally I am looking for incremental IP ID’s and so will use Nmap’s IPID Sequence Scanner to verify this.
I don’t understand how to locate potential idle hosts; however, I do have a printer on my network and know its IP.
:~# nmap –script ipidseq 192.168.1.86
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-08 13:26 BST
Nmap scan report for EPSON349BD2.home (192.168.1.86)
Host is up (0.017s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
515/tcp open printer
9100/tcp open jetdirect
MAC Address: A4:EE:57:34:9B:D2 (Seiko Epson)Host script results:
|_ipidseq: All zeros
Sadly, the results are all zero’s which renders this printer unusable as a zombie.
And that’s as far as I can go, as I have no other potential zombie to perform this scan and no idea how to force the printer to respond with incremental packets.
Gutted.