- Posts: 10
- Thank you received: 0
Idle Machines and Spoofed Scan's
20 years 2 months ago #5332
by dchri
"The distance between genius and insanity is measured only by success." --
Idle Machines and Spoofed Scan's was created by dchri
or Idle Host Scanning.
What this means exactly is that someone is using one machine's ip addy ( the Idle machine ) to scan the target computer for open services.
This is needed because while he is spoofing his address as the Idle's machine address and sending syn packets to his target he will be sending syn packets as well to idle machine to monitor it's IP Id numbers. It is through the monitoring of said numbers that he will know if the target machine has open services or not.
When a machine is idle, and you send syn packets to it, the IP Id numbers will normally go up in a predictable sequence. If the sequence varies it is because the host is now active (no Idle).
By this I mean that the target machine will send to Idle computer a syn/ack. Idle machine will respond with an ack packet. This communication between the two will cause the IP Id numbers
to change from it's predictable sequence. Thus indicating to attacker/scanner that the spoofed (Idle) machine has found an open port. All this is done without exposing himself to the target machine.
If you have a machine which is running no services, and is firewalled this will not work. If you have services running but not used a lot then this may or may not work.
Don't be a Idle machine for use by the Black Hat's.
What this means exactly is that someone is using one machine's ip addy ( the Idle machine ) to scan the target computer for open services.
This is needed because while he is spoofing his address as the Idle's machine address and sending syn packets to his target he will be sending syn packets as well to idle machine to monitor it's IP Id numbers. It is through the monitoring of said numbers that he will know if the target machine has open services or not.
When a machine is idle, and you send syn packets to it, the IP Id numbers will normally go up in a predictable sequence. If the sequence varies it is because the host is now active (no Idle).
By this I mean that the target machine will send to Idle computer a syn/ack. Idle machine will respond with an ack packet. This communication between the two will cause the IP Id numbers
to change from it's predictable sequence. Thus indicating to attacker/scanner that the spoofed (Idle) machine has found an open port. All this is done without exposing himself to the target machine.
If you have a machine which is running no services, and is firewalled this will not work. If you have services running but not used a lot then this may or may not work.
Don't be a Idle machine for use by the Black Hat's.
"The distance between genius and insanity is measured only by success." --
20 years 2 months ago #5338
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Idle Machines and Spoofed Scan's
A very valid post.. however these days bouncing a scan is not that critical since most admins ignore scans altogether...
nmaps idle scan feature is absolute genius.. I bow to Fyodor !
Cheers,
nmaps idle scan feature is absolute genius.. I bow to Fyodor !
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.124 seconds