Home page logo

nmap-dev logo Nmap Development mailing list archives

Patch: Setting the flags for Idlescan
From: "Kurt Grutzmacher" <grutz () jingojango net>
Date: Thu, 16 Mar 2006 15:51:31 -0800

Here's a minor option addition to set nmap's Idle scan (-sI) flags. Modified
the --scanflags parser to add some common words (SYNACK, PUSHACK). I did
this while researching Marco Ivaldi's bugtraq post here:

Some interesting results with a zombie of a Linux 2.6.11 platform -- Perhaps
others will find something unique in their own testing. . .

flags SFP - worked
flags FP - worked
flags P - worked
just about anything with RST - failed
just about anything with ACK - worked

# ./nmap -sI x.y.z.ZOMBIE:22 x.y.z.VICTIM -p 22 -P0 -n --packet_trace
--idleflags 8

Starting Nmap 4.02Alpha2 ( http://www.insecure.org/nmap/ ) at 2006-03-16
15:25 PST
SENT (0.0060s) ARP who-has x.y.z.VICTIM tell x.y.z.ME
RCVD (0.0070s) ARP reply x.y.z.VICTIM is-at 00:DE:AD:BE:EF:00
Idlescan using flags 8
SENT (0.0200s) TCP x.y.z.ME:33350 > x.y.z.ZOMBIE:22 P ttl=56 id=59028
iplen=44 seq=841566636 win=1024
RCVD (0.0210s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33350 RA ttl=64 id=53387
iplen=40 seq=0 win=0 ack=841566636
SENT (0.0520s) TCP x.y.z.ME:33351 > x.y.z.ZOMBIE:22 P ttl=51 id=8635
iplen=44 seq=841566637 win=4096
RCVD (0.0520s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33351 RA ttl=64 id=53388
iplen=40 seq=0 win=0 ack=841566637
SENT (0.0840s) TCP x.y.z.ME:33352 > x.y.z.ZOMBIE:22 P ttl=40 id=65043
iplen=44 seq=841566638 win=1024
RCVD (0.0840s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33352 RA ttl=64 id=53389
iplen=40 seq=0 win=0 ack=841566638
SENT (0.VICTIM160s) TCP x.y.z.ME:33353 > x.y.z.ZOMBIE:22 P ttl=37 id=51545
iplen=44 seq=841566639 win=2048
RCVD (0.VICTIM160s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33353 RA ttl=64 id=53390
iplen=40 seq=0 win=0 ack=841566639
SENT (0.VICTIM480s) TCP x.y.z.ME:33354 > x.y.z.ZOMBIE:22 P ttl=43 id=41276
iplen=44 seq=841566640 win=4096
RCVD (0.VICTIM480s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33354 RA ttl=64 id=53391
iplen=40 seq=0 win=0 ack=841566640
SENT (0.VICTIM800s) TCP x.y.z.ME:33355 > x.y.z.ZOMBIE:22 P ttl=53 id=64098
iplen=44 seq=841566641 win=2048
RCVD (0.VICTIM800s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33355 RA ttl=64 id=53392
iplen=40 seq=0 win=0 ack=841566641
Idlescan using zombie x.y.z.ZOMBIE (x.y.z.ZOMBIE:22); Class: Incremental
SENT (0.VICTIM800s) TCP x.y.z.VICTIM:33349 > x.y.z.ZOMBIE:22 P ttl=54
id=13179 iplen=44 seq=841566636 win=49307
SENT (0.2320s) TCP x.y.z.VICTIM:33349 > x.y.z.ZOMBIE:22 P ttl=47 id=33506
iplen=44 seq=841566637 win=49307
SENT (0.2840s) TCP x.y.z.VICTIM:33349 > x.y.z.ZOMBIE:22 P ttl=41 id=34168
iplen=44 seq=841566638 win=49307
SENT (0.3360s) TCP x.y.z.VICTIM:33349 > x.y.z.ZOMBIE:22 P ttl=38 id=49181
iplen=44 seq=841566639 win=49307
SENT (0.6380s) TCP x.y.z.ME:33436 > x.y.z.ZOMBIE:22 P ttl=51 id=50615
iplen=44 seq=2225973488 win=4096
RCVD (0.6380s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33436 RA ttl=64 id=53397
iplen=40 seq=0 win=0 ack=2225973488
SENT (0.6390s) TCP x.y.z.ZOMBIE:22 > x.y.z.VICTIM:22 S ttl=58 id=48095
iplen=44 seq=1623664806 win=3072
SENT (0.6890s) TCP x.y.z.ME:33584 > x.y.z.ZOMBIE:22 P ttl=44 id=41448
iplen=44 seq=2225973988 win=1024
RCVD (0.6890s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33584 RA ttl=64 id=53399
iplen=40 seq=0 win=0 ack=2225973988
SENT (0.7410s) TCP x.y.z.ME:33438 > x.y.z.ZOMBIE:22 P ttl=40 id=55112
iplen=44 seq=2225974488 win=1024
RCVD (0.7410s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33438 RA ttl=64 id=53400
iplen=40 seq=0 win=0 ack=2225974488
SENT (0.7420s) TCP x.y.z.ZOMBIE:22 > x.y.z.VICTIM:22 S ttl=59 id=24818
iplen=44 seq=1623664806 win=4096
SENT (0.7920s) TCP x.y.z.ME:33373 > x.y.z.ZOMBIE:22 P ttl=48 id=33542
iplen=44 seq=2225974988 win=1024
RCVD (0.7930s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33373 RA ttl=64 id=53402
iplen=40 seq=0 win=0 ack=2225974988
SENT (0.8440s) TCP x.y.z.ME:33493 > x.y.z.ZOMBIE:22 P ttl=55 id=22836
iplen=44 seq=2225975488 win=4096
RCVD (0.8440s) TCP x.y.z.ZOMBIE:22 > x.y.z.ME:33493 RA ttl=64 id=53403
iplen=40 seq=0 win=0 ack=2225975488
Interesting ports on x.y.z.VICTIM:
22/tcp open  ssh

Nmap finished: 1 IP address (1 host up) scanned in 1.158 seconds

Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]