Try DigitalOcean free for up to two months!

NMAP Scanning – Idle Scan

Discussion in 'Linux Security' started by Jarret W. Buse, Oct 4, 2015.

  1. Jarret W. Buse

    Jarret W. Buse Well-Known Member Staff Writer

    Jul 3, 2013
    Likes Received:
    NMAP Scanning – Idle Scan

    An unusual scan which is available for NMAP is the Idle Scan. To start, the Port Scan requires an idle system to be used as a “zombie”. The “zombie” is used to scan for open ports on a Target system. Results are sent from the “zombie” system to the Source to find open ports on the Target. No communication is performed between the Source and the Target system.

    There are three requirements for the Idle Scan.

    1. The “zombie” system must be idle
    2. The “zombie” system must have an open Port 80
    3. Root privileges

    NOTE: The reason Port 80 must be open is that a “SYN” is being sent to the “zombie” with no Port number designated. Since the 3-Way Handshake is not completed (no Step 1), the port cannot be set and the default port is Port 80.

    So, let's look into the process that the Idle Scan is going through to perform such tests. Let's start by defining the systems we are using:

    • Source – Host Name: SymplePC, Linux OS, IP:, MAC: 00:87:35:1C:88:13
    • Zombie – Host Name: Dell, Windows OS, IP:, MAC: E0:91:F5:99:9D:AF
    • Target – Host Name: Kodi, Windows OS, IP:, MAC: 00:11:2F:8C:27:FF

    NOTE: Watch these MAC Addresses in the Figures. The IP Address will be spoofed, but the MAC Addresses will remain the same for each system.

    Before getting into the details, I need to explain IP IDs. The Internet Protocol (IP) IDs are numbers used to identify packets on a network. Most systems will use consecutive IP IDs. It is important to remember that the IP IDs are consecutive. All packets on a network have an IP ID. Since the IP IDs are consecutive and need to be so, the “nmap” utility will check that the “zombie” system produces consecutive IDs. If the “zombie” does not create consecutive IP IDs, then “nmap” will stop. It is also imperative that the “zombie” be idle. If it is sending and receiving packets, then the IP IDs will not be consecutive and cause an erroneous result.

    The Idle Scan command is: “sudo nmap -v -sI -P0”. The “-v” option shows more verbosity and if needed the “-vv” option could be used to produce more details. The option “-sI” specifies the “zombie” system, which is “”. Then next IP Address, “”, is the Target system to be scanned. Finally, the “-P0” specifies that no pings should be sent to the Target. Since no Pings are sent from the Source to the Target system, there will be no communication directly between the two devices. The output from the “nmap” Idle Scan command is shown in Figure 1.

    Figure 1.jpg
    FIGURE 1

    To begin the scan, as shown in Figure 2, the “nmap” utility will perform an Address Resolution Protocol (ARP) to find the MAC and IP Addresses of the “zombie” and the Target. Line 1 shows the request for the system with the IP Address of (Target). The response is shown on Line 2. Line 9 shows that the “zombie” system is not aware of the MAC Address of the Source system and requests it. The response is on Line 10. For systems already in communication with each other, the ARP requests would not be necessary.

    Figure 2.jpg
    FIGURE 2

    In Figure 2 on Line 7, the IP IDs sequence is verified. The Source system sends six packets to the “zombie” to verify that the IP IDs are consecutive. If the IDs are not consecutive, then two things may be happening.

    1. The “zombie” produces random IP IDs
    2. The “zombie” is not idle

    The Source is sending the requests on Lines 5, 7, 13, 16, 19 and 22. If you look at these lines, you will notice that the requests are “SYN/ACK”. These are the second step of the 3-way Handshake. Each of these causes an error, since there was not initial request to start a session, in Lines 6, 8, 14, 17, 20 and 23.

    NOTE: Because an incomplete 3-way Handshake is being performed is the reason for the need of Root privileges.

    Figure 3 shows details about IP for Lines 12 and 15. The IP ID for Line 12 is “0x0426” and for Line 15 the IP ID is “0x0427”. The output shows that the system designates consecutive IP IDs and is idle. The Idle Scan can then continue.

    Figure 3.jpg
    FIGURE 3

    The next step performed in my scan is that the “zombie” performs an ARP request for the system with the IP Address of Once the response is made, then the “zombie” starts to send “SYN” requests to the Target for each Port being scanned. If the Port is open, a response is sent back to the “zombie”, but not really. Let's look at this process a little closer. In Figure 4 you can see on Line 45 that a “SYN” went from to

    Figure 4.jpg
    FIGURE 4

    If we look at the details of this packet, shown in Figure 5, we can see some important details. The second line with a red border shows that the proper Source and Destination IP Addresses are used for communication. Looking at the first red bordered box, the truth can be seen. The MAC Address being used is not for the “zombie”, but the Source system. When an open port is found, the Target system responds to the true Source system and not the “zombie”.

    Figure 5.jpg
    FIGURE 5

    But what about the IP IDs? The IP IDs are needed when the systems are on different subnets.

    My next scan, I will use the same “zombie”, but my Target will be a system on the Internet. The Target will be a Google Server at IP Address The output is similar as the previous one, but let's look at the details. In Figure 6, you can see groupings of Port scans (Lines 83-88). The IP ID in Line 82 is “0x0bed” and Line 92 it is “0x0bef”. It should be “0x0bee”, but something happened to skip one. The reason to skip a IP ID is that an open port was found. Which one? It could be “rap”, “microsoft-ds”, “http”, “blackjack”, “pop3” or “ms-wbt-server”. We know there was only one port since only one IP ID was skipped.

    Figure 6.jpg
    FIGURE 6

    Line 96-98 shows that the ports for “rap”, “microsoft-ds” and “http” are retested. Again an IP ID is skipped. Now it is narrowed down to three ports. Lines 109-110 show that “rap” and “microsoft-ds” are being tested, but there are no skipped IP ID. Then, “http” is tested and we have an open port!

    The same occurs for “https” which are the only two ports found as shown in the “nmap” scan in Figure 7.

    Figure 7.jpg
    FIGURE 7

    Try the scan, but realize it only finds open ports. The Operating System (OS) cannot be determined or version numbers. Root privileges are required so this can hinder some users. Make sure the “zombie” you use is idle and has Port 80 open.

    Attached Files:

    mariano, jramirezg and blackneos940 like this.
  2. blackneos940

    blackneos940 Active Member

    Sep 6, 2013
    Likes Received:
    Very interesting, good sir..... :3 I must admit, I don't have the attention span to finish it all here.... :( However, I will copy this to Gedit for some good readin' later..... 'K....? :3 Also, it seems like the MAC Address was unchanged..... Did I miss something.....? :( Have a good day!!..... ^o^

Share This Page