Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, May 31, 2011

Using a JetDirect box as an Nmap Idlescan Zombie
        While I'm on the topic of Nmap and JetDirect boxes, they make great bouncers for stealth Idle scans (also know as Zombie scans) since their IPIDs are incremental. Basically what happen is the Nmap scan is bounced off of the JetDirect box and any logs on the target will show the IP of the JetDirect box as being the attacker. There are a few problems with these kinds of scans, the biggest being that they are VERY slow. For more details on  Idle scans  see the following URL:
and the Nmap MAN page:
Idlescan: This advanced scan method allows for a truly blind TCP port scan of
the target (meaning no packets are sent to the target from your real IP
address). Instead, a unique side-channel attack exploits predictable "IP frag-
mentation ID" sequence generation on the zombie host to glean information about
the open ports on the target. IDS systems will display the scan as coming from
the zombie machine you specify (which must be up and meet certain criteria). I
wrote an informal paper about this technique at http://www.inse- .

Besides being extraordinarily stealthy (due to its blind nature), this scan
type permits mapping out IP-based trust relationships between machines. The
port listing shows open ports from the perspective of the zombie host. So you
can try scanning a target using various zombies that you think might be trusted
(via router/packet filter rules). Obviously this is crucial information when
prioritizing attack targets. Otherwise, you penetration testers might have to
expend considerable resources "owning" an intermediate system, only to find out
that its IP isn't even trusted by the target host/network you are ultimately

You can add a colon followed by a port number if you wish to probe a particular
port on the zombie host for IPID changes. Otherwise Nmap will use the port it
uses by default for "tcp pings".
        Here is an example of Nmap being run using a JetDirect box as a bouncer. I've used the -P0 option so that the host running Nmap does not ping the target first, lessening the stealth value by giving away the scanners true IP.
Irongeek:~# nmap -P0 -sI

Starting nmap 3.81 ( ) at 2005-09-08 17:22 EDT
Idlescan using zombie (; Class: Incremental
Interesting ports on
(The 1654 ports scanned but not shown below are in state: closed|filtered)
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
587/tcp open submission

Nmap finished: 1 IP address (1 host up) scanned in 35.262 seconds


        Now, if looks at its logs it will appear that (the JetDirect box) was doing the scan. Sneaky!

No comments: