Idle scan

This section discusses some of the features of TCP / IP that are necessary to understand the method.

For each IP packet to be sent, its number is set in a special Identification (IP ID) field. When this field is overflowed, the value changes to zero and the count starts anew. By making two measurements of the network packet numbers, you can find out the network activity of the monitored computer. ^[3]

The IPv4 specification does not specify the assignment of IP ID values, only indicating that each packet should be given a unique IP ID value for the sender-receiver pair and the protocol used. Uniqueness should be ensured during the time interval that a packet can be on the network. ^[3] This means that the assignment of IP ID values ​​can be performed in various ways, which can be divided into three classes ^[4] :

• Sequential - even increase
• Sequential jump - rise
• Random - random values

The connection between the two hosts is as follows. Host X, wishing to connect to host Y, sends a SYN packet to address Y (indicating the IP address and destination port and source IP address, i.e. its own). If the requested port Y is open, then Y sends the SYN | ACK packet to the address that was specified as the source address in the first SYN packet. Next, X also sends SYN | ACK to Y as a confirmation. If the port is closed, then Y sends SYN | RST to X or sends nothing. ^[five]

Idle scan consists of three steps that are repeated for each port of interest ^[2] :

• Find out the IP ID of zombies and record it.
• Prepare a SYN packet from zombies and send it to the desired port of the target. Depending on the state of the port, the reaction of the target will increase the IP ID of the zombie.
• Find out the IP ID of zombies again. The status of the destination port is determined by comparing this new IP ID with what was recorded in the first step.

After this process, the zombie's IP ID should have increased by one or two. An increase of one indicates that the zombie did not send any packets other than its response to the attacker's packet. This means that the port is closed (i.e. the target host sent the zombies either an RST packet that was ignored, or nothing at all). An increase of two means that the port is open (the target allegedly sent a zombie packet SYN | ACK in response to a fake SYN). An increase in excess of two usually means a bad zombie host. It either has an unpredictable IP ID, or is connecting to other hosts at this point. ^[2]

To start scanning, you need to find out which hosts are on the correct subnet. This can be done with nmap utility ^[6] . Possible output of the program:

  nmap -v -O -sS 192 .168.43.1 / 30

 Starting Nmap 6 .40 ( http://nmap.org ) at 2017 -12-07 16 : 10 MSK
 Initiating ARP Ping Scan at 16 : 10
 Scanning 4 hosts [ 1 port / host ]
 Completed ARP Ping Scan at 16 : 10, 0 .31s elapsed ( 4 total hosts )
 Initiating Parallel DNS resolution of 4 hosts.  at 16 : 10
 Completed Parallel DNS resolution of 4 hosts.  at 16 : 10, 0 .01s elapsed
 Nmap scan report for 192 .168.43.0 [ host down ]
 Nmap scan report for 192 .168.43.2 [ host down ]
 Nmap scan report for 192 .168.43.3 [ host down ]
 Initiating SYN Stealth Scan at 16 : 10
 Scanning 192 .168.43.1 [ 1000 ports ]
 Discovered open port 53 / tcp on 192 .168.43.1
 Completed SYN Stealth Scan at 16 : 10, 4 .61s elapsed ( 1000 total ports )
 Initiating OS detection ( try # 1) against 192.168.43.1

This command lists all hosts in a given IP range. The -0 option enables the operating system detection function, the -v option activates verbal mode, the -sS option -sS SYN scanning, 192.168.1.0/24 - the scanned subnet ^[7] . In this example, four hosts were tested, three of which were inactive.

Next, from the list of active hosts, select the appropriate zombie hosts. To select them successfully, two conditions must be met ^[2] :

• When exchanging packets with it, its IP ID must increment by one.
• The host must be inactive so that extraneous traffic does not distort its IP ID

You can check the conditions for a specific host using the hping utility ^[8] . Result:

  hping3 -r 192 .168.43.1

 HPING 192 .168.43.1 ( wlan0 192 .168.43.1 ) : NO FLAGS are set, 40 headers + 0 data bytes
 len = 40 ip = 192 .168.43.1 ttl = 64 DF id = 64118 sport = 0 flags = RA seq = 0 win = 0 rtt = 7 .8 ms
 len = 40 ip = 192 .168.43.1 ttl = 64 DF id = +33 sport = 0 flags = RA seq = 1 win = 0 rtt = 3 .7 ms
 len = 40 ip = 192 .168.43.1 ttl = 64 DF id = +48 sport = 0 flags = RA seq = 2 win = 0 rtt = 7 .6 ms

corresponds to non-fulfillment of the specified conditions. In this case, you need to select a different host. ^[2]

If the result is as follows:

  hping3 -r 192 .168.43.1

 HPING 192 .168.43.1 ( wlan0 192 .168.43.1 ) : NO FLAGS are set, 40 headers + 0 data bytes
 len = 40 ip = 192 .168.43.1 ttl = 64 DF id = 64118 sport = 0 flags = RA seq = 0 win = 0 rtt = 7 .8 ms
 len = 40 ip = 192 .168.43.1 ttl = 64 DF id = +1 sport = 0 flags = RA seq = 1 win = 0 rtt = 3 .7 ms
 len = 40 ip = 192 .168.43.1 ttl = 64 DF id = +1 sport = 0 flags = RA seq = 2 win = 0 rtt = 7 .6 ms

then the host increments the IP ID value using the Sequential method, and does not interact with anyone, i.e. satisfies both conditions and is suitable for use idle scan ^[2] .

After finding the zombie computer and finding its IP ID, you can scan. The idle scan technology is built into the following Linux utilities:

NMAP

In nmap, idle scan technology is built-in, you can use it by typing the command ^[6] :

  $ nmap -P0 -p- -sI 192 .168.43.1 192 .168.43.5

The first address specified will be the address of the zombie computer, the second, respectively, the address of the target. Options -P0 means pinging using the IP protocol, -p means scanning only certain ports, -sI means using the idle scan technique. ^[6]

HPING

To send a packet to the target on behalf of the zombies, you can use hping3. To replace the sender address, you can write ^[8] :

  $ hping3 -c 1 -S -a 192 .168.43.1 192 .168.43.5 -p 80

The source here is the first address, the goal is the second. The -с 1 option means sending one packet, -p 80 - the port to which the packet is being sent. ^[eight]

You can also use hping2:

  $ hping2 —spoof 172 .16.0.105 -S 172 .16.0.100 -p 22 -c 1

After the computer sent packets to the target on behalf of the zombie, you need to check its IP ID with the same command hping3 <адрес зомби> . If the difference in IP ID values ​​is 2, then the port is open, if 1, then it is closed. If a different value is obtained, then at that time the zombie host interacted with someone over the network. Knowing the growth of IP ID and how to send packets from a fake address, you can easily check whether the port is closed or open ^[1] .

The first and most basic is to examine the ports of the machine of interest for openness, while remaining unnoticed ^[1] .

Another goal is the ability to compromise a zombie computer in the eyes of the target computer, if there is an appropriate security policy on the target machine. For example, if there is a policy on the target computer to ignore packets from the computer from which there were too many SYN packets to different ports for a certain time (this behavior is considered suspicious, because primitive port scanning is done in this way) ^[1] .

Another application of this technique is the definition of trust between two computers. Indeed, idle scan actually determines whether a port is open or not for a zombie computer, and not for a scanning computer ^[1] .

The predictability of IP ID is also used to determine the operating system of a computer, as different operating systems use different delivery algorithms ^[9] .

You can protect yourself from this and other hidden scans with the help of modern network intrusion detection systems (IPS, IDS , NIDS ). For example, using open source programs such as Snort , Bro , etc. There are also a number of measures that can be taken to protect against this method from different organizations ^[1] :

• Network administrators
  • A firewall setting that prohibits incoming packets with fictitious source addresses. Most firewalls provide this feature.
  • Implement outbound filtering to prevent forged packets from the network. This will not allow users to implement this type of attack.
• Internet Service Providers
  • Outgoing message filtering that prevents packet forgery from networks. Outbound filtering will also help against IP spoofing attacks .
• OS developers
  • Randomization IPID Sequences. This is implemented, for example, in OpenBSD . This is difficult to implement because care must be taken that the sequence does not repeat and that individual digits will not be used twice in a short period of time.

• Information Security
• Transmission control protocol
• Port scanner
• Vulnerability Scanners
• Nmap

• Jon Erikson HACKING the art of exploitation. - NoStarch Press, 2008 .-- 472 p. - ISBN 1-59327-144-1 . - ISBN 978-1-59327-144-2 .

• Insecure.org/nmap/idlescan - Detailed Method Description
• Idle Port Scanning and Non-interference Analysis of Network Protocol - Method Improvement
• Nmap.online-domain-tools.com - Online Nmap Scanner