Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Patch: Setting the flags for Idlescan
From: Fyodor <fyodor () insecure org>
Date: Thu, 16 Mar 2006 17:09:59 -0800

On Thu, Mar 16, 2006 at 04:55:53PM -0800, Kurt Grutzmacher wrote:


SENT (0.4320s) TCP xx.yy.zz.ME:44951 > xx.yy.zz.ZOMBIE:55 SA ttl=53  
id=32040 iplen=44 seq=3245032422 win=2048 ack=278882775
Idlescan zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE) port 55 cannot be  
used because it has not returned any of our probes -- perhaps it is  
down or firewalled.


SENT (0.1810s) TCP xx.yy.zz.ME:45762 > xx.yy.zz.ZOMBIE:55 A ttl=58  
id=4557 iplen=44 seq=395955956 win=3072 ack=3026693419
RCVD (0.1810s) TCP xx.yy.zz.ZOMBIE:55 > xx.yy.zz.ME:45762 R ttl=64  
id=54084 iplen=40 seq=3026693419 win=0
Idlescan using zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE:55); Class:  

Certainly a unique situation but still possible.

But does the scan actually end up producing valid results?  Remember
that the target will be sending back SYN/ACK packets to the zombie,
which may be dropped in the same way the SYN/ACKs you send to the
zombie are.

Thanks for sending the patch,

Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]