We discussed a variety of scan types, including both TCP and UDP. We also discussed some of the scans that can be used for anonymous scanning; in other words, your host iP would not be revealed at the destination when you are performing port scanning. These types of scans are very useful if you wish to remain anonymous while scanning your target. Both the scan techniques we have discussed in this chapter rely specifically upon using another host/server to perform a scan for you.
IDLE SCAN
The IDLE scan is a very effective and stealthy scanning technique. The idea behind the IDLE
scan is to introduce a zombie to scan another host. This technique is stealthy because the victim host would receive packets from the zombie host and not the attacker host. In this way, the victim would not be able to figure out where the scan originated.
However, there are some prerequisites for launching the idle scan, which are as follows:
scan is to introduce a zombie to scan another host. This technique is stealthy because the victim host would receive packets from the zombie host and not the attacker host. In this way, the victim would not be able to figure out where the scan originated.
However, there are some prerequisites for launching the idle scan, which are as follows:
1. Finding a good candidate whose IP ID sequence is incremental and recording its IP ID.
2. The host should be IDLE on the network.
2. The host should be IDLE on the network.
SCANNING FOR A VULNERABLE HOST
Let’s now talk about scanning for a vulnerable host for the zombie scan. We can use a tool called Hping2 for figuring out if a host is a good candidate for an IDLE scan. Hping2 is mainly used for firewall testing purposes; the creator of this tool is also the one who introduced the concept of IDLE scanning.
Command:
From your console, just type
hping2 –S –r <Target IP>
S—Sending a SYN flag
R—For the relative id
Command:
From your console, just type
hping2 –S –r <Target IP>
S—Sending a SYN flag
R—For the relative id
As you can see, the id is incremented by 1; this shows us that the host is a potential candidate for becoming our zombie and can be used to perform an IDLE scan.
Alternatively, we can use the metasploit auxiliary module for figuring out a good candidate for a zombie. In order to use the auxiliary module, we would need to start up the metasploit framework.
From the shell, type “msfconsole” to fire up metasploit. Once metasploit is started, issue the following command to load the auxiliary module:
msf> use auxiliary/scanner/ip/ipidseq
Next, you need to set the Rhosts value; you can either specify a range or a single target. Here is an example:
For a single host
Set RHOSTS <Target Ip>
For a range
Set RHOSTS 192.168.15.1–192.168.15.255
Alternatively, we can use the metasploit auxiliary module for figuring out a good candidate for a zombie. In order to use the auxiliary module, we would need to start up the metasploit framework.
From the shell, type “msfconsole” to fire up metasploit. Once metasploit is started, issue the following command to load the auxiliary module:
msf> use auxiliary/scanner/ip/ipidseq
Next, you need to set the Rhosts value; you can either specify a range or a single target. Here is an example:
For a single host
Set RHOSTS <Target Ip>
For a range
Set RHOSTS 192.168.15.1–192.168.15.255
Finally, you need to issue the run command in order to finish the process. Here is the screenshot of how this would look:
PERFORMING AN IDLE SCAN WITH NMAP
Now that we have identified a good candidate for our zombie, let’s try performing an IDLE scan with nmap. The idle scan can be simply performed by specifying the –sI parameter with nmap, followed by the iP of our zombie host and the target that we want to scan against.
Command:
nmap –sI <IP Address Of Zombie> <IP Address Of The Target>
nmap –sI <IP Address Of Zombie> <IP Address Of The Target>
Also, one thing that would be worth mentioning here is that while performing an IDLE scan, you should also use the –pN option. This will prevent nmap from sending an initial packet from your real IP to the target host. Here is another example from the nmap book, which shows the idle scan being performed on riaa.com by using a host that belongs to adobe.com.
No comments:
Post a Comment