Nmap Development mailing list archives
Zombie Test Flag
From: James Stephenson <tor () shentel net>
Date: Thu, 26 Jun 2008 23:26:36 -0400 (EDT)
I had an idea for a useful feature. Please excuse if such a feature already exists but I didn't see it. In short I think it would be useful for there to be a flag specifically to check if a system is a likely candidate to be useful as a zombie system. I was reading the Idle Scan documentation on the site, and I already know that nmap checks to see if a system uses sequential ip id numbering. But it also says that this doesn't necessarily mean a system will work as a zombie. Because some operating systems a separate ip id sequence for each host it is communicating with. In short my idea is that when the flag is specified nmap will poll the target system for its ip id, then it would poll the target again, but this time with a spoofed source ip address, and finally it would poll the target a final time with your real ip address again. If the target system would work as a zombie the the ip id should have increased by 2, if it is a system like solaris, then the ip id should only increase by one. The flag would also be useful if one simply wished to scan a subnet for zombie hosts and wanted to limit nmap's output to just the ip addresses of likely hosts. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Zombie Test Flag James Stephenson (Jun 26)
- Re: Zombie Test Flag Ron (list) (Jun 27)