Penetration Testing mailing list archives
Re: Changing Source Port For Nmap Idle Scan
From: Joachim Schipper <j.schipper () math uu nl>
Date: Mon, 28 Mar 2005 21:02:08 +0200
On Mon, Mar 28, 2005 at 02:50:47AM -0000, SecureHacK wrote:
Hello I have a quick question I have been experimenting with idle scanning and I have read the paper on it and I have an understanding of what goes on during the process I am also an avid nmap user.What I am trying to figure out is is there anyway to change the port to use during the idle scan by default it's port 80 so using the -g option it should change the source port to whatever I want I have used this option but it still only uses port 80 is this changeable? For example find a machine with port 139 open could we change our source port to 139 and use that? Cheers
It's in TFMP (for 3.75 at least), see the following snippet (in particular the last pararaph) from nmap(1): -sI <zombie host[:probeport]> Idlescan: This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the tar- get from your real IP address). Instead, a unique side-channel attack exploits predictable "IP fragmentation ID" sequence gen- eration on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as com- ing from the zombie machine you specify (which must be up and meet certain criteria). I wrote an informal paper about this technique at http://www.insecure.org/nmap/idlescan.html . Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust rela- tionships between machines. The port listing shows open ports from the perspective of the zombie host. So you can try scan- ning a target using various zombies that you think might be trusted (via router/packet filter rules). Obviously this is crucial information when prioritizing attack targets. Other- wise, you penetration testers might have to expend considerable resources "owning" an intermediate system, only to find out that its IP isn't even trusted by the target host/network you are ultimately after. You can add a colon followed by a port number if you wish to probe a particular port on the zombie host for IPID changes. Otherwise Nmap will use the port it uses by default for "tcp pings". Good luck, Joachim
Current thread:
- Changing Source Port For Nmap Idle Scan SecureHacK (Mar 28)
- Re: Changing Source Port For Nmap Idle Scan Joachim Schipper (Mar 29)
- RE: Changing Source Port For Nmap Idle Scan Omar Herrera (Mar 29)