The Nmap idle scan allows attackers to conceal their identity while scanning networks for open ports and services. This advanced technique relies on IP ID sequence prediction and packet spoofing to remain anonymous.
In this comprehensive tutorial, we’ll unpack the technical inner workings, implementation considerations, defensive strategies, and responsible disclosure practices around idle scanning.
How the Idle "Zombie" Scan Works
The key principle that enables the idle scan is IP ID sequence generation predictability among potential “zombie” hosts.
Here is a walkthrough of the four steps:
1. Identify a Predictable Zombie Host
The attacker sends a TCP SYN/ACK packet to the zombie host. The zombie will reply with a TCP RST packet containing its current IP ID sequence value.
If the IP ID consistently increments for each packet sent, the zombie can be used for spoofing.
2. Spoof Scans as the Zombie
The attacker crafts a TCP SYN packet pretending to come from the zombie and sends it to a target host/port.
The source IP is forged to match the zombie, concealing the attacker’s real address.
3. Monitor the Zombie’s IP ID
By checking the zombie’s updated RST packet IP ID after sending the spoofed SYN, an open or closed port on the target can be deduced based on how the target responds.
If open, the port will reply with a SYN/ACK causing the zombie to issue an RST and increment its IP ID. If closed, only the zombie‘s IP ID increases.
4. Repeat for Other Targets & Ports
By repeating this technique, an attacker can stealthily map out access to live hosts and services on a network.
Let‘s look at the packet flow for an open port:
And for a closed port:
As long as the zombie host produces predictable IP ID sequences, attackers can remain anonymous while scanning.
Now let‘s dive into finding suitable zombies.
Discovering Network Zombies
The hardest part is pinpointing hosts that sequentially increment IP ID fields predictably.
Here are some places to look:
- Windows 98/2000 – These legacy versions incremented IP ID sequentially per the RFC 791 standard.
- Embedded Systems – Old IP cameras, print servers, etc. may not randomize.
- Faulty Network Stacks – Poor TCP implementation can lead to predictable sequences.
The Nmap ipidseq script probes hosts to detect incrementing IP ID patterns:
nmap --script ipidseq -p80 -iR 1000It scans 1000 random hosts on port 80 checking for zombie potential based on response patterns.
Sample output showing vulnerable zombie candidates:
Host: 192.168.1.105
PORT STATE SERVICE
80/tcp open|filtered http
Host is likely running a broken IP ID sequence generator
Host: 192.168.1.202
PORT STATE SERVICE
80/tcp closed http
Host is likely running a little-endian incremental IP ID sequence generatorBoth the incrementing and little-endian hosts can serve as zombies.
For wider scans, leverage Shodan to identify more targets:
product:webcam
server: microsoft-iis 6.0
httpd: netwave ip cameraCheck incidents for exposed embedded devices and legacy tech.
You can also craft nmap scripts to automate zombie searching:
-- Script finds predictable Zombies
hostlist = {}
portrule = shortport.http
function findZombie(host) {
probe = sendSYN_ACKPacket(host)
if (isIncremental(probe)) {
print(host + "is a Zombie!")
addToList(hostlist, host)
}
}
function scanNetwork(network) {
for ip in network {
findZombie(ip)
}
}This custom script probes hosts and adds zombies to a target list for idle scanning.
Launching Stealthy Idle Scans
Use the -sI <zombie host> option to leverage a zombie in Nmap:
nmap -Pn -sI zombie1 192.168.1.0/24This scans the 192.168.1.0 network through zombie1 anonymously.
Target specific ports with -p:
nmap -Pn -sI zombie1 -p22,80 192.168.1.105Use -p- for a more comprehensive scan:
nmap -Pn -sI zombie1 -p- 192.168.1.0/24Brute force even more ports:
nmap -Pn -sI zombie1 -p0-65535 192.168.1.105Increase the speed with faster timing templates:
nmap -Pn -sI zombie1 -T4 targetAttempt evasion by fragmenting packets:
nmap -Pn -sI zombie1 -f target Zombies can even be coordinated for distributed scanning:
nmap -Pn -sI <z1,z2,z3> targetReview verbose outputs to tie open ports back to IP ID sequence increments.
These examples demonstrate the broad scanning capabilities available while masking the attacker‘s system behind zombies.
Enhancing Security Defenses
There are several ways to reduce idle scan exposure:
Network IPS – Signature detection spots idle scans by analyzing packet trends.
Randomize Sequence Numbers – Non-predictable IP ID generation impedes zombies. Modern OSes do this.
VLAN Segmentation – Isolate trusted assets from general networks.
ACLs – Restrict and validate source IPs to prevent spoofing.
Patching – Upgrade outdated software running vulnerable network stacks. Prioritize embedded devices.
Honeypots – Deception technology spots reconnaissance like idle scans and alerts response teams. Useful data collection.
Firmware Updates – Vendors like Cisco release firmware addressing vulnerable IP ID practices. Apply updates.
Here is a sample Snort IPS rule detecting possible idle scans:
alert tcp any any -> any any (msg: "possible nmap idle scan"; \
flow: stateless; reference: cve,20091234; \
threshold: type limit, track by_src, count 1, seconds 60; \
ip_id: incrementing; classtype:attempted-recon;)Layering these defensive controls significantly lowers the attack surface for idle scans.
Responsible Disclosure
Ensure proper permission before attempting idle scans. They are detectable despite being anonymous.
If engaging in legitimate penetration tests or vulnerability research, be transparent:
- Disclose attack windows prior to testing
- Document tools & techniques thoroughly
- Detail source and zombie IP addresses
- Estimate traffic levels
- Report impacts neutrally
Unethical idle scanning can have serious legal consequences. Always respect system owner explicit permissions to avoid trouble.
Conclusion
This comprehensive idle scan guide equipped developers with knowledge around exploiting predictable IP ID zombies to conceal attack origins. We covered the technical foundations, zombie host discovery techniques, Nmap scan execution, defensive postures, and responsible disclosure best practices around idle scanning.
Now that you understand this advanced reconnaissance method and how to combat it, apply that knowledge to secure networks and applications.
Any requests for topic expansions around stealthy scanning? Let me know in the comments!
