Shulou(Shulou.com)05/31 Report--

This article is about how Nmap uses idle scanning to collect information. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

Introduction

In the process of penetration testing, we often borrow Nmap to collect information, but a fatal disadvantage of Nmap is that a large number of data packets will be sent in the process of detection, resulting in a large amount of traffic, which is extremely easy to alert the target and even track down the real ip of the penetration tester. Of course, this is not what we want to see. So what can we do to hide our real ip and accomplish our information-gathering task at the same time? At this point, we need to use the idle scanning technology provided by Nmap. It doesn't matter if you don't understand. You'll understand it after reading the article.

Introduction to idle scanning

Idle scanning is a very powerful technology. Nmap uses idle hosts to deceive the target host ip and hides the native real ip.

Idle scan usage steps

Prepare idle hosts (zombie hosts)

01 know the idle host

An idle host is a machine that can be used as a spoofing destination IP address and has a preset IP ID serial number.

02 find free host

To find a free host, we can use the ipidseq script provided by Nmap. There are two specific ways to find it. The first is to search for the whole network segment, which will probe the network segment where our hosts are located to find free hosts. The specific command is nmap-p80-- open-- script ipidseq / 24. The second is online random scanning, which randomly looks for free hosts on the Internet. The specific command is: nmap-p80-- open-- script ipidseq-iR 200. (the-iR option represents randomly selected targets, 200 represents the number of randomly selected targets, and-open represents idle hosts that only select ports open)

(note: the output of the red box is for reference only, and there are many uncertainties in the idle scan, which does not mean that the idle host can be used successfully. )

03 determine the target

We need to identify the target of our idle scan before we start the idle scan. For example, that specific website or specific ip.

04 enable idle scanning

To start idle scanning, you only need to execute the following command: nmap-Pn-sI. (the-sI option invokes idle scanning, and-Pn closes the host discovery operation). When using the idle hosts randomly acquired on the Internet during the idle scanning, there may be a long distance between the ip address and the target ip path, which makes the communication between the idle hosts delayed, which may eventually lead to idle scanning failure. It is recommended to use the idle hosts under the same network segment of the target host, so that the probability of success will be higher.

Take a chestnut to detect Metasploitable2.

Environmental preparation: target aircraft: Metasploitable2 ip:192.168.17.136

Attack plane: kali 2017

Ip:192.168.17.134

First, use the idle host for idle scanning, as shown in the figure:

Then use the native (kali) for a normal scan, as shown in the figure

The result of using idle host probe is consistent with that of using real host. But it has achieved the purpose of hiding our real ip. As for why we can use wireshark to capture traffic, we can find that when we do idle scanning, the traffic is only idle host and local machine, as well as the traffic between idle host and target machine, and there is no traffic between local machine and target machine, while when we scan this machine, we will find that there is traffic between local machine and target machine.

Error resolution

You may encounter the following error when doing an idle scan: the following error may occur. The firewall intercepts data. two。 The destination host discards the packet. 3. The agent is not available. (the solution is to replace the idle host)

working principle

Idle scanning was first created by Salvatore Sanfilipo, the author of hping, in 1998. This is a very covert scanning technique. The-sI flag is used to tell Nmap to use idle scanning. Background: every IP packet on the Internet has a segmented identification number (IP ID). Many operating systems simply increment the identification number, so analyzing the last IPID can tell the attacker how many packets have been sent by this host. )

Idle scan workflow:

1. Determine the IP ID serial number of the zombie host.

2.Nmap sends a fake SYN packet to the destination as if it had been sent by an idle host.

3. If the port is open, the destination sends SYN / ACK packets and increments its IP ID serial number to the idle host.

4. Nmap analyzes the increment of the IP ID sequence number of idle hosts to see if SYN / ACK packets are received from the destination and to determine the port status.

This is how Nmap uses idle scanning to collect information. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.