Idle scan

From Wikipedia, the free encyclopedia

This article contains too much jargon and may need simplification or further explanation. Please discuss this issue on the talk page, and/or remove or explain jargon terms used in the article. Editing help is available. (December 2007)

The idle scan is a TCP port scan method that through utility software tools such as Nmap and Hping allow sending spoofed packets to a computer. This sophisticated exploit is dual-hatted as a port scanner and maps out trusted IP relationships between machines. The attack involves sending forged packets to a specific machine -target- in an effort to find distinct characteristics in another -zombie- machine. Discovered by Salvatore Sanfilippo (also known by his handle "Antirez") in 1998[1], the idle scan has been used by many Black Hat "hackers" to covertly identify open ports on a target computer in preparation for attacking it. Although it was originally named 'dumb scan', the term 'idle scan' was coined in 1999, after the publication of a proof of concept 16-bit identification field (IPID) scanner named "idlescan", by Filipe Almeida (aka LiquidK). This type of scan can also be referenced as 'zombie scan'; all the nomenclatures are due to the nature of one of the computers involved in the attack.

[hide]

[edit] Basic mechanics

Idle scans take advantage of predictable TCP sequence numbers. An attacker would first scan for a host with a sequential and predictable sequence number (IPID). The latest versions of Linux, Solaris, and OpenBSD are not suitable targets, since the IPID has been implemented with patches[2]. Computers chosen to be used in this stage are sometimes known as "zombies". Once a suitable zombie is found the next step would be to send a SYN packet to the target computer, spoofing the IP address from the zombie. If the port of the target computer is open it will respond with a SYN/ACK packet back to the zombie. The zombie computer will then send a RST packet to the target computer because it did not actually send the SYN packet in the first place. Since the zombie had to send the RST packet it will increment its IPID. This is how an attacker would find out if the targets port is open. If the IPID is not incremented then the attacker would know that the particular port is closed.

The first stage of an idle scan

The second stage of an idle scan

[edit] Hping method

The hping method for idle scanning provides a lower level example for how idle scanning is performed. In this example the target host (172.16.0.100) will be scanned using an idle host (172.16.0.105). An open and a closed port will be tested to see how each scenario plays out.

First, establish that the idle host is actually idle, send packets using hping2 and observer the id numbers increase incrementally by one. If the id numbers increase haphazardly, the host is not actually idle.

[r...@localhost hping2-rc3]# ./hping2 -S 172.16.0.105
HPING 172.16.0.105 (eth0 172.16.0.105): S set, 40 headers + 0 data bytes
len=46 ip=172.16.0.105 ttl=128 id=1371 sport=0 flags=RA seq=0 win=0 rtt=0.3 ms
len=46 ip=172.16.0.105 ttl=128 id=1372 sport=0 flags=RA seq=1 win=0 rtt=0.2 ms
len=46 ip=172.16.0.105 ttl=128 id=1373 sport=0 flags=RA seq=2 win=0 rtt=0.3 ms
len=46 ip=172.16.0.105 ttl=128 id=1374 sport=0 flags=RA seq=3 win=0 rtt=0.2 ms
len=46 ip=172.16.0.105 ttl=128 id=1375 sport=0 flags=RA seq=4 win=0 rtt=0.2 ms
len=46 ip=172.16.0.105 ttl=128 id=1376 sport=0 flags=RA seq=5 win=0 rtt=0.2 ms
len=46 ip=172.16.0.105 ttl=128 id=1377 sport=0 flags=RA seq=6 win=0 rtt=0.2 ms
len=46 ip=172.16.0.105 ttl=128 id=1378 sport=0 flags=RA seq=7 win=0 rtt=0.2 ms
len=46 ip=172.16.0.105 ttl=128 id=1379 sport=0 flags=RA seq=8 win=0 rtt=0.4 ms

Send a spoofed syn packet to the target host on a port you expect to be open. In this case, port 22 (ssh) is being tested.

# hping2 --spoof 172.16.0.105 -S 172.16.0.100 -p 22 -c 1
HPING 172.16.0.100 (eth0 172.16.0.100): S set, 40 headers + 0 data bytes


--- 172.16.0.100 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Since we spoofed the packet, we did not receive a reply and hping reports 100% packet loss. The target host replied directly to the idle host with a syn/ack packet. Now, check the idle host to see if the id number has increased.

# hping2 -S 172.16.0.105 -p 445 -c 1
HPING 172.16.0.105 (eth0 172.16.0.105): S set, 40 headers + 0 data bytes
len=46 ip=172.16.0.105 ttl=128 DF id=1381 sport=445 flags=SA seq=0 win=64320 rtt=0.3 ms

--- 172.16.0.105 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.3 ms

Notice that the proxy hosts id increased from id=1379 to id=1381. 1380 was consumed when the the idle host replied to the target host's syn/ack packet with an rst packet.

Run through the same processes again testing a port that is likely closed. Here we are testing port 23 (telnet).

# hping2 -S 172.16.0.105 -p 445 -c 1; hping2 --spoof 172.16.0.105 -S 172.16.0.100 -p 23 -c 1; hping2 -S 172.16.0.105 -p 445 -c 1
HPING 172.16.0.105 (eth0 172.16.0.105): S set, 40 headers + 0 data bytes
len=46 ip=172.16.0.105 ttl=128 DF id=1382 sport=445 flags=SA seq=0 win=64320 rtt=2.1 ms

--- 172.16.0.105 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.1/2.1/2.1 ms
HPING 172.16.0.100 (eth0 172.16.0.100): S set, 40 headers + 0 data bytes

--- 172.16.0.100 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
HPING 172.16.0.105 (eth0 172.16.0.105): S set, 40 headers + 0 data bytes
len=46 ip=172.16.0.105 ttl=128 DF id=1383 sport=445 flags=SA seq=0 win=64320 rtt=0.3 ms

--- 172.16.0.105 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.3 ms

Notice that this time, the id did not increase because the port was closed. When we sent the spoofed packet to the target host, it replied to the idle host with an rst packet which did not increase the id counter.

[edit] Nmap method

The first thing the user would do is to find a suitable zombie on the LAN:

nmap -sP 192.168.1.0/24

This tells Nmap to do a ping sweep and show all hosts that are up in the given IP range. Once you have found a zombie, next you would send the spoofed packets:

nmap -P0 -p <port> -sI <zombie IP> <target IP>

The images juxtaposition show both of these stages in a successful scenario.

[edit] Effectiveness

Although many Operating Systems are now immune from being used in this attack, Some popular systems are still vulnerable [3] ; making the idle scan still very effective. Once a successful scan is completed there is no trace of the attackers IP address on the target's firewall or Intrusion-detection system log. Another useful possibility is the chance of by-passing a firewall because you are scanning the target from the zombies computer[4], which might have extra rights than the attacker's.

[edit] External links

Insecure.org/nmap/idlescan - An in-depth article on idle scanning
Insecure.org - Official site of Nmap
Hping.org - Official site of Hping
Nmap-Online.com - An online Nmap scanner
Techtarget.com - An article on idle scanning
Seclists.org - Original bugtraq post

[linuxkernelnewbies] Idle scan - Wikipedia, the free encyclopedia