Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: scanning idle-hosts (sorry for beeing a little OT)

From: Jan Reister <Jan.Reister () unimi it>
Date: Mon, 24 May 2010 09:11:44 +0200
Il 21/05/2010 10:13, Doggy Dog ha scritto:

then we came across the idle-scan method, had some fun
using voip-phones and printers as zombies and build a wrapper
around nmap to give a nice list on probably detected zombies of
a given network.

but then we discovered, that nearly any windows-machine we scanned,
from win2000/win2003/xp and even server2008 would give a great zombie ...


The idle scan relies on:

- a zombie's predictable IP ID sequence generation method
- a zombie being underused, idle most of the time so that IP ID changes
may be usefully interpreted by nmap.

Windows boxen (as well as Sun Solaris, some linux...) have an
IP ID Sequence Generation: Incremental
but, being tipically very active on the network (at least during office
hours) they are a less suitable as a zombie, sinche they will show fast
changing IP IDs.

See the nmap book  page 117 and following, or browse:
http://nmap.org/book/idlescan.html

Jan

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: