Zombie Test Flag

[James Stephenson <tor () shentel net>]

I had an idea for a useful feature. Please excuse if such a feature 
already exists but I didn't see it. In short I think it would be useful 
for there to be a flag specifically to check if a system is a likely 
candidate to be useful as a zombie system. I was reading the Idle Scan 
documentation on the site, and I already know that nmap checks to see if a 
system uses sequential ip id numbering. But it also says that this doesn't 
necessarily mean a system will work as a zombie. Because some operating 
systems a separate ip id sequence for each host it is communicating with. 
In short my idea is that when the flag is specified nmap will poll the 
target system for its ip id, then it would poll the target again, but this 
time with a spoofed source ip address, and finally it would poll the 
target a final time with your real ip address again. If the target system 
would work as a zombie the the ip id should have increased by 2, if it is 
a system like solaris, then the ip id should only increase by one. The flag 
would also be useful if one simply wished to scan a subnet for zombie 
hosts and wanted to limit nmap's output to just the ip addresses of likely 
hosts.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org