Nmap Development mailing list archives

Re: Patch: Setting the flags for Idlescan

From: Kurt Grutzmacher <grutz () jingojango net>
Date: Thu, 16 Mar 2006 17:57:24 -0800

On Mar 16, 2006, at 5:09 PM, Fyodor wrote:

On Thu, Mar 16, 2006 at 04:55:53PM -0800, Kurt Grutzmacher wrote:

ACK:

SENT (0.1810s) TCP xx.yy.zz.ME:45762 > xx.yy.zz.ZOMBIE:55 A ttl=58
id=4557 iplen=44 seq=395955956 win=3072 ack=3026693419
RCVD (0.1810s) TCP xx.yy.zz.ZOMBIE:55 > xx.yy.zz.ME:45762 R ttl=64
id=54084 iplen=40 seq=3026693419 win=0
Idlescan using zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE:55); Class:
Incremental

Certainly a unique situation but still possible.


But does the scan actually end up producing valid results?  Remember
that the target will be sending back SYN/ACK packets to the zombie,
which may be dropped in the same way the SYN/ACKs you send to the
zombie are.


Yep:

RCVD (0.8450s) TCP xx.yy.zz.ZOMBIE:55 > xx.yy.zz.ME:45797 R ttl=64  
id=54095 iplen=40 seq=1114094116 win=0
Interesting ports on xx.yy.zz.LOCALVICTIM:
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:DE:AD:BE:EF:00 (Foomagic)

Nmap finished: 1 IP address (1 host up) scanned in 1.158 seconds

But only when on the local subnet:

# nmap -P0 -sI ZOMBIE:22 download.insecure.org -p 80 -n --idleflags 16

Starting Nmap 4.02Alpha2 ( http://www.insecure.org/nmap/ ) at  
2006-03-16 17:51 PST
Idlescan using flags 16
Idlescan using zombie ZOMBIE (ZOMBIE:22); Class: Incremental
Interesting ports on 205.217.153.53:
PORT   STATE SERVICE
80/tcp open  http

Nmap finished: 1 IP address (1 host up) scanned in 1.230 seconds

# nmap -P0 -sI ZOMBIE:55 download.insecure.org -p 80 -n --idleflags 16

Starting Nmap 4.02Alpha2 ( http://www.insecure.org/nmap/ ) at  
2006-03-16 17:55 PST
Idlescan using flags 16
Idlescan using zombie ZOMBIE (ZOMBIE:55); Class: Incremental
Interesting ports on 205.217.153.53:
PORT   STATE           SERVICE
80/tcp closed|filtered http

Nmap finished: 1 IP address (1 host up) scanned in 1.491 seconds


This is such sorcery!



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
- Re: Patch: Setting the flags for Idlescan Fyodor (Mar 16)
  - Re: Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
    - Re: Patch: Setting the flags for Idlescan Fyodor (Mar 16)
    - Re: Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)