mailing list archives
From: Pablo Fernández <newsclient () teamq info>
Date: Thu, 19 May 2005 18:46:21 +0200
First of all I don't know if this is the correct list to post this type
of question, if it isn't I absolutely apologize an hope you can point me
to the right list.
The thing I want to know if Idle scans are still possible in a normal
basis, I been trying on my LAN and all I get is:
codeQ:/home/pablo# nmap -sI 192.168.5.10 192.168.5.1 -P0 -vv
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-05-19 18:42
Idlescan using zombie 192.168.5.10 (192.168.5.10:80); Class: Incremental
Even though your Zombie (192.168.5.10; 192.168.5.10) appears to be
vulnerable to IPID sequence prediction (class: Incremental), our
attempts have failed. This generally means that either the Zombie uses
a separate IPID base for each host (like Solaris), or because you cannot
spoof IP packets (perhaps your ISP has enabled egress filtering to
prevent IP spoofing), or maybe the target network recognizes the packet
source as bogus and drops them
BTW: .10 is a linux 2.6.11-7 kernel and .1 is a linux 2.4.30.
I also been random trying on -iR dropped IP's and all I get are "All
zero" and "randomized" responses.
I read Fyodor's comment on insecure.org and I thought perhaps this was
an already fixed issue in most vendors.
Could someone please let me know if I just had bad luck or this type of
scan is obsolete?
Thanks very much,
Sent through the nmap-dev mailing list
- Idle scan Pablo Fernández (May 19)