Nmap Development mailing list archives
Re: scanning idle-hosts (sorry for beeing a little OT)
From: Jan Reister <Jan.Reister () unimi it>
Date: Mon, 24 May 2010 09:11:44 +0200
Il 21/05/2010 10:13, Doggy Dog ha scritto:
then we came across the idle-scan method, had some fun using voip-phones and printers as zombies and build a wrapper around nmap to give a nice list on probably detected zombies of a given network. but then we discovered, that nearly any windows-machine we scanned, from win2000/win2003/xp and even server2008 would give a great zombie ...
The idle scan relies on: - a zombie's predictable IP ID sequence generation method - a zombie being underused, idle most of the time so that IP ID changes may be usefully interpreted by nmap. Windows boxen (as well as Sun Solaris, some linux...) have an IP ID Sequence Generation: Incremental but, being tipically very active on the network (at least during office hours) they are a less suitable as a zombie, sinche they will show fast changing IP IDs. See the nmap book page 117 and following, or browse: http://nmap.org/book/idlescan.html Jan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- scanning idle-hosts (sorry for beeing a little OT) Doggy Dog (May 22)
- Re: scanning idle-hosts (sorry for beeing a little OT) Jan Reister (May 24)