Skip to main content

Idle Machines and Spoofed Scan's

More
20 years 2 months ago #5332 by dchri
or Idle Host Scanning.

What this means exactly is that someone is using one machine's ip addy ( the Idle machine ) to scan the target computer for open services.

This is needed because while he is spoofing his address as the Idle's machine address and sending syn packets to his target he will be sending syn packets as well to idle machine to monitor it's IP Id numbers. It is through the monitoring of said numbers that he will know if the target machine has open services or not.

When a machine is idle, and you send syn packets to it, the IP Id numbers will normally go up in a predictable sequence. If the sequence varies it is because the host is now active (no Idle).

By this I mean that the target machine will send to Idle computer a syn/ack. Idle machine will respond with an ack packet. This communication between the two will cause the IP Id numbers
to change from it's predictable sequence. Thus indicating to attacker/scanner that the spoofed (Idle) machine has found an open port. All this is done without exposing himself to the target machine.

If you have a machine which is running no services, and is firewalled this will not work. If you have services running but not used a lot then this may or may not work.

Don't be a Idle machine for use by the Black Hat's.

"The distance between genius and insanity is measured only by success." --
More
20 years 2 months ago #5338 by sahirh
A very valid post.. however these days bouncing a scan is not that critical since most admins ignore scans altogether...

nmaps idle scan feature is absolute genius.. I bow to Fyodor !

Cheers,

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.124 seconds