{"id":11768,"date":"2017-02-01T08:00:59","date_gmt":"2017-02-01T08:00:59","guid":{"rendered":"http:\/\/www.icterra.com\/what-is-idle-scan\/"},"modified":"2021-10-04T12:49:46","modified_gmt":"2021-10-04T12:49:46","slug":"what-is-idle-scan","status":"publish","type":"post","link":"https:\/\/www.icterra.com\/de\/what-is-idle-scan\/","title":{"rendered":"What is Idle Scan?"},"content":{"rendered":"
Author:<\/strong> \u015eeref Sel\u00e7uk \u015eAH\u0130N, System Architect \u2013 Cyber Security<\/p>\n <\/strong><\/p>\n Idle scan is a TCP based port scan where the attacker sends spoofed packets to a passive (also called as \u201csilent\u201d) victim host. With the term \u201cpassive\u201d we mean here that the incoming or outgoing traffic of the victim host is very low. (The reason of this will be understood throughout the article.)<\/p>\n Before we go into the deeper details of the Idle Scan, two concepts have to be understood clearly:<\/p>\n 1) IP ID IP ID(entification) Field<\/strong><\/p>\n IP ID is a 16-bit field in the IPv4 header which is related with IP fragmentation. We won\u2019t dig deeper what is IP ID field in this article. But you just have known that (randomly created initial) IP ID value -mostly- will be incremented by one for each IP packet arrived to the victim host. (For more information about IP ID field:\u00a0https:\/\/www.cellstream.com\/intranet\/reference-reading\/tipsandtricks\/314-the-purpose-of-the-ip-id-field-demystified.html<\/a>, \u00a0https:\/\/tools.ietf.org\/html\/rfc6864<\/a>)<\/em><\/p>\n TCP Flags<\/strong><\/p>\n The responses of the hosts to the SYN segments depends on the values of the flags in TCP header. To thoroughly understand the Idle Scan concept you have to know the following TCP responses.<\/p>\n 1.) If a host receives a TCP segment where SYN and ACK flags are set then it responses with the RST flag since there is no corresponding session which started with a SYN earlier to SYN\/ACK)<\/p>\n <\/p>\n 2.) If a host receives a TCP segment to its\u00a0open port<\/strong>\u00a0where only SYN flag is set (which is describing an intent for setting up a TCP connection) then it responses with SYN and ACK flags.<\/p>\n <\/p>\n 3.) If a host receives a TCP segment to its\u00a0closed port<\/strong>\u00a0where only SYN flag is set then it responses with RST flag.<\/p>\n <\/p>\n 4.) If a firewall or a similar access control device blocks the access to some ports of the host then these port are called\u00a0filtered ports<\/strong>. If a SYN segment is sent to a filtered port of the host then the host doesn\u2019t give a response to this segment because the segment couldn\u2019t reach the host because of the firewall which simply drops the packet. (The result is also the same for other TCP segments.)<\/p>\n <\/p>\n To give a summary:<\/p>\n After this introduction now we can proceed with the explanation of Idle Scan. We will explain Idle Scan for three different scenarios: 1) victim port open, 2) victim port closed and 3) victim port filtered. The results of Port Closed and Port Filtered scenarios are the same though.<\/p>\n As we mentioned above for Idle Scan to be executed we need a host of which network traffic is very low. (Or better it has almost no traffic. You can detect such idle hosts in a network with some network scanning tools.) Otherwise it can cause some false positives for the Idle Scan. Such \u201cidle\u201d computers generally are called as \u201cZombie computers\u201d. (We also will call them as Zombie computers throughout this article.) We will use these Zombie computers to detect the status of the ports of other computers. (Seems weird. But don\u2019t be afraid.)<\/p>\n After we have determined our Zombie computer in the network its time to execute Idle Scan.<\/p>\n Idle Scan (Victim Port Open)<\/strong><\/p>\n 1.) The attacker sends a\u00a0SYN\/ACK<\/strong>\u00a0segment to the Zombie computer.<\/p>\n <\/p>\n 2.) Zombie computer responses with\u00a0RST<\/strong>\u00a0segment and its IP ID is incremented by \u201cone<\/strong>\u201d.<\/p>\n <\/p>\n With this step the attacker learns the IP ID value of the Zombie computer which is 6,162 in this case.<\/p>\n 3.) After the attacker has learnt the IP ID value of the Zombie computer the attacker sends a\u00a0SYN<\/strong>\u00a0segment to the victim computer with the spoofed IP address of the Zombie computer. (Spoofed IP address is 192.168.20.20 in this case.)<\/p>\n <\/p>\n 4.) Because the port on the victim computer is\u00a0open<\/strong>\u00a0then victim computer will response to the Zombie computer with a\u00a0SYN\/ACK<\/strong>\u00a0Notice that the response is not sent to the attacker rather to the Zombie Computer because the attacker has spoofed the IP address of the Zombie computer.<\/p>\n <\/p>\n Also be aware of that during this time period we assume that there wasn\u2019t any traffic coming into our Zombie computer.<\/p>\n 5.) The Zombie computer gets a\u00a0SYN\/ACK<\/strong>\u00a0segment from the victim computer and the Zombie computer responds with\u00a0RST<\/strong>\u00a0segment to it and the Zombie computer increases its IP ID by \u201cone<\/strong>\u201d (IP ID = 6,163)<\/p>\n <\/p>\n 6.) The attacker sends a\u00a0SYN\/ACK<\/strong>\u00a0segment to the Zombie computer.<\/p>\n <\/p>\n 7.) The Zombie computer responds with a\u00a0RST<\/strong>\u00a0segment to the\u00a0SYN\/ACK<\/strong>\u00a0segment and increases its IP ID by \u201cone<\/strong>\u201d. IP ID value will be 6,164.<\/p>\n <\/p>\n The first IP ID value of the Zombie computer sent to the attacker was\u00a06,162<\/strong>. At the end of this process, the attacker gets an IP ID value of\u00a06,164<\/strong>. Because the IP ID is increased by \u201ctwo<\/strong>\u201d we can conclude that the port of the victim computer is\u00a0OPEN<\/strong>. As you can see we can learn the status of the ports of the victim computer via a Zombie computer with sending just a SYN segment to the victim computer. (Kinda magic, huh?)<\/p>\n Let me remind you the thing again: If during this time our Zombie computer sent or received any traffic from any other host then the IP ID would be increased by more than \u201ctwo\u201d. So the Idle Scan wouldn\u2019t work for that case. That\u2019s why it is vital that our chosen Zombie computer has to be \u201cidle\u201d in the network. That\u2019s the reason where its name came from.<\/p>\n Idle Scan (Victim Port Closed)<\/strong><\/p>\n As you can see below the first three phases of the Closed Port Idle Scan are the same with the first three phases of the Open Port Idle Scan.<\/p>\n 1.) The attacker sends a\u00a0SYN\/ACK<\/strong>\u00a0segment to the Zombie computer.<\/p>\n <\/p>\n 2.) Zombie computer responses with\u00a0RST<\/strong>\u00a0segment and its IP ID is incremented by \u201cone<\/strong>\u201d.<\/p>\n <\/p>\n 3.) After the attacker has learned the IP ID value of the Zombie computer the attacker sends a\u00a0SYN<\/strong>\u00a0segment to the victim computer with the spoofed IP address of the Zombie computer. (Spoofed IP address is 192.168.20.20 in this case.)<\/p>\n <\/p>\n 4.) Because the port on the victim computer is\u00a0closed<\/strong>\u00a0the victim computer will response to the Zombie computer with a\u00a0RST<\/strong>\u00a0Notice here also that the response is not sent to the attacker rather it is sent to the Zombie Computer because the attacker has spoofed the IP address of the Zombie computer.<\/p>\n <\/p>\n 5.) The attacker sends a\u00a0SYN\/ACK<\/strong>\u00a0segment to the Zombie computer.<\/p>\n <\/p>\n 6.) The Zombie computer responds with a\u00a0RST<\/strong>\u00a0segment to the SYN\/ACK segment and increases its IP ID by \u201cone<\/strong>\u201d. IP ID value will be 6,163.<\/p>\n <\/p>\n The first IP ID value of the Zombie computer which was sent to the attacker was\u00a06,162<\/strong>. At the end of this process the attacker gets the IP ID value of\u00a06,163<\/strong>. Because the IP ID is increased by \u201cone<\/strong>\u201d we\u00a0CAN\u2019T<\/strong>\u00a0conclude if the port of the victim computer is\u00a0CLOSED<\/strong>\u00a0or\u00a0FILTERED<\/strong>.<\/p>\n The Close Port Idle Scan and the Filtered Port Idle Scan processes yield the same result but the background processes are a little different. We will explain Filtered Port Idle Scan processes in the next section.<\/p>\n Idle Scan (Victim Port Filtered)<\/strong><\/p>\n In the Filtered Port Idle Scan we assume that there is a firewall (or some other access control device) between the attacker and the Zombie computer and blocks the traffic between them.<\/p>\n First three steps are the same:<\/p>\n 1.) The attacker sends a packet with\u00a0SYN\/ACK<\/strong>\u00a0flags set to the Zombie computer.<\/p>\n <\/p>\n 2.) Zombie computer responses with\u00a0RST<\/strong>\u00a0segment and its IP ID is incremented by \u201cone<\/strong>\u201d.<\/p>\n <\/p>\n 3.) After the attacker has learnt the IP ID value of the Zombie computer the attacker sends a\u00a0SYN<\/strong>\u00a0segment to the victim computer with the spoofed IP address of the Zombie computer. (Spoofed IP address is 192.168.20.20 in this case.)<\/p>\n <\/p>\n 4.) The attacker sends a\u00a0SYN\/ACK<\/strong>\u00a0segment to the Zombie computer.<\/p>\n <\/p>\n 5.) The Zombie computer responds with a\u00a0RST<\/strong>\u00a0segment to the SYN\/ACK segment and increases its IP ID by \u201cone\u201d. IP ID value will be 6,163.<\/p>\n <\/p>\n The first IP ID value of the Zombie computer which was sent to the attacker was\u00a06,162<\/strong>. At the end of this process the attacker gets the IP ID value of\u00a06,163<\/strong>. Because the IP ID is increased just \u201cone<\/strong>\u201d we\u00a0CAN\u2019T<\/strong>\u00a0conclude if the port of the victim computer is\u00a0CLOSED<\/strong>\u00a0or\u00a0FILTERED<\/strong>.<\/p>\n Pros and Cons<\/strong><\/p>\n In Idle Scan if you have access to a Zombie computer which -we assume- has access to the victim computer then it is not important if there is a firewall between you and the victim computer. So with this scan the firewall is bypassed.<\/p>\n In Idle Scan the victim computer doesn\u2019t see your IP address because you gather the desired information about the victim computer via and from the Zombie computer. So you are invisible for the victim computer.<\/p>\n With Idle Scan you can only detect the port status. Application version information detection or operating system fingerprinting is not possible with Idle Scan.<\/p>\n In Idle Scan, the Zombie computer -as the name implies- has to be an \u201cidle\u201d host which cannot be found so easy sometimes. But for example you can choose an online coffee machine connected to a network as the Zombie computer. But don\u2019t worry the scanning tools find such coffee machines it on behalf of you.<\/p>\n Network scanning is in the reconnaissance phase of hacking and also called as network enumeration. There are too many scanning types to gather information about the target hosts. Nmap and nessus are free tools which are widely used for scanning networks.<\/p>\n References: Idle scan is a TCP based port scan where the attacker sends spoofed packets to a passive (also called as \u201csilent\u201d) victim host. <\/p>\n","protected":false},"author":1,"featured_media":11770,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[127],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/posts\/11768"}],"collection":[{"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/comments?post=11768"}],"version-history":[{"count":0,"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/posts\/11768\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/media\/11770"}],"wp:attachment":[{"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/media?parent=11768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/categories?post=11768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.icterra.com\/de\/wp-json\/wp\/v2\/tags?post=11768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n2) Response of a host to some TCP flags.<\/p>\n\n
\n<\/u><\/strong>https:\/\/en.wikipedia.org\/wiki\/Idle_scan
\n<\/a>https:\/\/nmap.org\/presentations\/CanSecWest03\/CD_Content\/idlescan_paper\/idlescan.html
\n<\/a>http:\/\/www.linux.org\/threads\/nmap-scanning-%E2%80%93-idle-scan.8483\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"