Graphics Programs Reference
In-Depth Information
At this point, the attacker contacts the idle host again to determine how
much the IP ID has incremented. If it has only incremented by one interval,
no other packets were sent out by the idle host between the two checks. This
implies that the port on the target machine is closed. If the IP ID has incre-
mented by two intervals, one packet, presumably an RST packet, was sent out
by the idle machine between the checks. This implies that the port on the
target machine is open.
The steps are illustrated on the next page for both possible outcomes.
Of course, if the idle host isn't truly idle, the results will be skewed. If
there is light traffic on the idle host, multiple packets can be sent for each
port. If 20 packets are sent, then a change of 20 incremental steps should be
an indication of an open port, and none, of a closed port. Even if there is
light traffic, such as one or two non-scan-related packets sent by the idle
host, this difference is large enough that it can still be detected.
If this technique is used properly on an idle host that doesn't have any
logging capabilities, the attacker can scan any target without ever revealing
his or her IP address.
After finding a suitable idle host, this type of scanning can be done with
nmap using the
-sI
command-line option followed by the idle host's address:
r
eader@hacking:~/booksrc $ sudo nmap -sI idlehost.com 192.168.42.7
Port open on target
Last ID from
idle host = 50
3
SYN/ACK
Idle host
Attacker
RST (ID = 52)
1
2
SYN/ACK
RST (ID = 51)
SYN
Spoofed with idle host
as the source address
Target
Last ID from
idle host = 50
Port closed on target
2
SYN/ACK
Idle host
Attacker
RST (ID = 51)
1
SYN
Spoofed with idle host
as the source address
Target
