Using a JetDirect box as an Nmap Idlescan Zombie

        While I'm on the topic of Nmap and JetDirect boxes, they make great bouncers for stealth Idle scans (also know as Zombie scans) since their IPIDs are incremental. Basically what happen is the Nmap scan is bounced off of the JetDirect box and any logs on the target will show the IP of the JetDirect box as being the attacker. There are a few problems with these kinds of scans, the biggest being that they are VERY slow. For more details on  Idle scans  see the following URL:

http://www.insecure.org/nmap/idlescan.html

and the Nmap MAN page:

-sI Idlescan: This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable "IP frag- mentation ID" sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). I wrote an informal paper about this technique at http://www.inse- cure.org/nmap/idlescan.html . Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust relationships between machines. The port listing shows open ports from the perspective of the zombie host. So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules). Obviously this is crucial information when prioritizing attack targets. Otherwise, you penetration testers might have to expend considerable resources "owning" an intermediate system, only to find out that its IP isn't even trusted by the target host/network you are ultimately after. You can add a colon followed by a port number if you wish to probe a particular port on the zombie host for IPID changes. Otherwise Nmap will use the port it uses by default for "tcp pings".

        Here is an example of Nmap being run using a JetDirect box as a bouncer. I've used the -P0 option so that the host running Nmap does not ping the target first, lessening the stealth value by giving away the scanners true IP.

Irongeek:~# nmap -P0 -sI 192.168.1.93 Irongeek.irongeek.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-08 17:22 EDT Idlescan using zombie 192.168.1.93 (192.168.1.93:80); Class: Incremental Interesting ports on 192.168.1.5: (The 1654 ports scanned but not shown below are in state: closed|filtered) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 587/tcp open submission Nmap finished: 1 IP address (1 host up) scanned in 35.262 seconds Irongeek:~#

        Now, if 192.168.1.5 looks at its logs it will appear that 192.168.1.93 (the JetDirect box) was doing the scan. Sneaky!