Nmap Development mailing list archives
Re: Patch: Setting the flags for Idlescan
From: Kurt Grutzmacher <grutz () jingojango net>
Date: Thu, 16 Mar 2006 17:57:24 -0800
On Mar 16, 2006, at 5:09 PM, Fyodor wrote:
On Thu, Mar 16, 2006 at 04:55:53PM -0800, Kurt Grutzmacher wrote:ACK: SENT (0.1810s) TCP xx.yy.zz.ME:45762 > xx.yy.zz.ZOMBIE:55 A ttl=58 id=4557 iplen=44 seq=395955956 win=3072 ack=3026693419 RCVD (0.1810s) TCP xx.yy.zz.ZOMBIE:55 > xx.yy.zz.ME:45762 R ttl=64 id=54084 iplen=40 seq=3026693419 win=0 Idlescan using zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE:55); Class: Incremental Certainly a unique situation but still possible.But does the scan actually end up producing valid results? Remember that the target will be sending back SYN/ACK packets to the zombie, which may be dropped in the same way the SYN/ACKs you send to the zombie are.
Yep: RCVD (0.8450s) TCP xx.yy.zz.ZOMBIE:55 > xx.yy.zz.ME:45797 R ttl=64 id=54095 iplen=40 seq=1114094116 win=0 Interesting ports on xx.yy.zz.LOCALVICTIM: PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:DE:AD:BE:EF:00 (Foomagic) Nmap finished: 1 IP address (1 host up) scanned in 1.158 seconds But only when on the local subnet: # nmap -P0 -sI ZOMBIE:22 download.insecure.org -p 80 -n --idleflags 16 Starting Nmap 4.02Alpha2 ( http://www.insecure.org/nmap/ ) at 2006-03-16 17:51 PST Idlescan using flags 16 Idlescan using zombie ZOMBIE (ZOMBIE:22); Class: Incremental Interesting ports on 205.217.153.53: PORT STATE SERVICE 80/tcp open http Nmap finished: 1 IP address (1 host up) scanned in 1.230 seconds # nmap -P0 -sI ZOMBIE:55 download.insecure.org -p 80 -n --idleflags 16 Starting Nmap 4.02Alpha2 ( http://www.insecure.org/nmap/ ) at 2006-03-16 17:55 PST Idlescan using flags 16 Idlescan using zombie ZOMBIE (ZOMBIE:55); Class: Incremental Interesting ports on 205.217.153.53: PORT STATE SERVICE 80/tcp closed|filtered http Nmap finished: 1 IP address (1 host up) scanned in 1.491 seconds This is such sorcery! _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
- Re: Patch: Setting the flags for Idlescan Fyodor (Mar 16)
- Re: Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
- Re: Patch: Setting the flags for Idlescan Fyodor (Mar 16)
- Re: Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
- Re: Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
- Re: Patch: Setting the flags for Idlescan Fyodor (Mar 16)