Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Changing Source Port For Nmap Idle Scan

From: Joachim Schipper <j.schipper () math uu nl>
Date: Mon, 28 Mar 2005 21:02:08 +0200
On Mon, Mar 28, 2005 at 02:50:47AM -0000, SecureHacK wrote:



Hello  I have a quick question I have been experimenting with idle scanning and I have read the paper on it and I 
have an understanding of what goes on during the process I am also an avid nmap user.What I am trying to figure out 
is is there anyway to change the port to use during the idle scan by default it's port 80 so using the -g option it 
should change the source port to whatever I want I have used this option but it still only uses port 80 is this 
changeable? For example find a machine with port 139 open could we change our source port to 139 and use that?

                                        Cheers


It's in TFMP (for 3.75 at least), see the following snippet (in
particular the last pararaph) from nmap(1):

       -sI <zombie host[:probeport]>
              Idlescan: This advanced scan method allows for a truly blind TCP
              port scan of the target (meaning no packets are sent to the tar-
              get  from your real IP address).  Instead, a unique side-channel
              attack exploits predictable "IP fragmentation ID" sequence  gen-
              eration  on  the zombie host to glean information about the open
              ports on the target.  IDS systems will display the scan as  com-
              ing  from  the  zombie machine you specify (which must be up and
              meet certain criteria).  I wrote an informal  paper  about  this
              technique at http://www.insecure.org/nmap/idlescan.html .

              Besides   being  extraordinarily  stealthy  (due  to  its  blind
              nature), this scan type permits mapping out IP-based trust rela-
              tionships  between  machines.  The port listing shows open ports
              from the perspective of the zombie host.  So you can  try  scan-
              ning  a  target  using  various  zombies that you think might be
              trusted (via router/packet filter  rules).   Obviously  this  is
              crucial  information  when  prioritizing attack targets.  Other-
              wise, you penetration testers might have to expend  considerable
              resources "owning" an intermediate system, only to find out that
              its IP isn't even trusted by the  target  host/network  you  are
              ultimately after.

              You  can  add  a  colon followed by a port number if you wish to
              probe a particular port on the zombie  host  for  IPID  changes.
              Otherwise  Nmap  will  use  the port it uses by default for "tcp
              pings".

Good luck,

                Joachim
Previous By Date Next
Previous By Thread Next

Current thread: