Idle scan

The target will respond in different ways depending on whether the port is open, which can in turn be detected by querying the zombie.

This exploit functions with two purposes, as a port scanner and a mapper of trusted IP relationships between machines.

[3] The overall intention behind the idle scan is to "check the port status while remaining completely invisible to the targeted host.

"[4] Discovered by Salvatore Sanfilippo (also known by his handle "Antirez") in 1998,[5] the idle scan has been used by many black hat "hackers" to covertly identify open ports on a target computer in preparation for attacking it.

TCP is the protocol that major Internet applications rely on, such as the World Wide Web, e-mail, and file transfer.

In this system, network services are identified using two components: a host address and a port number.

The host in a local network can be protected by a firewall that filters, according with rules that its administrator set up, packets.

If the port of the target computer is open it will accept the connection for the service, responding with a SYN/ACK packet back to the zombie.

It needs to assign IP ID packets incrementally on a global (rather than per-host it communicates with) basis.

When an idle scan is attempted, tools (for example nmap) tests the proposed zombie and reports any problems with it.

Alternatively, there have been some research on utilizing unintended public web services as zombie hosts to perform similar idle scans.

Leveraging the way some of these services perform outbound connections upon user submissions can serve as some kind of poor's man idle scanning.

Send a spoofed SYN packet to the target host on a port you expect to be open.

That is still no guarantee that it will work, as Solaris and some other systems create a new IP ID sequence for each host they communicate with.

OS detection and the open port list can also help in identifying systems that are likely to be idle.

Another approach to identifying zombie candidates is the run the ipidseq NSE script against a host.

Once a successful scan is completed there is no trace of the attacker's IP address on the target's firewall or Intrusion-detection system log.

Another useful possibility is the chance of by-passing a firewall because you are scanning the target from the zombie's computer,[10] which might have more rights than the attacker's.

Idle scan on an open port
The first stage of an idle scan
The second stage of an idle scan