10

We're learning nmap in my ethical hacking class. We got showed how we can use nmap to perform a zombie scan:

nmap -PN -sI zombieIP targetIP

and decoy scan:

nmap -p 135 -D decoyIP targetIP

I understand what they do, but the lecturer didn't go into details on how it works. I'm curious to understand, how exactly can nmap tell zombieIP (or decoyIP) to perform a scan on targetIP?

Juicy
  • 1,407
  • 4
  • 16
  • 31
  • 1
    [NMAP Official Book](http://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717) is a great read. Breaks everything down and explains mechanics behind NMAP as well as port scanning in general. – Rubber Duck Nov 12 '13 at 20:39
  • @RubberDuck Good suggestion! Much of the book is [available online](http://nmap.org/book/). Please note that the name of the program is Nmap, not NMAP. – bonsaiviking Nov 12 '13 at 21:33

2 Answers2

10

The basic idea of a Zombie or Idle scan is to send source-spoofed packets to the target, then observe some state change in the TCP/IP stack of the machine with the spoofed source address. The original method, discovered in 1998, used the IP ID field to observe the state.

Nmap's -sI Idle Scan is a good implementation that is able to query the Zombie/Idle host to determine its algorithm for incrementing the IP ID field; in some cases, it increments by 2 or by 256. It is up to the user to choose an appropriate Zombie host. By performing a scan with the -O (OS fingerprinting) and -v (verbose) flags, the user can find machines which have an incremental IP ID sequence, then target them with Nping or another packet crafting tool to identify those that are not experiencing a lot of traffic. The "Idle" part of the scan means that the Zombie must be mostly idle (not communicating with other hosts) in order for the scan to work. Finally, the scan is conducted using a command like you posted: nmap -Pn -sI zombieIP targetIP

The technique goes something like this:

  1. Nmap probes the Zombie to determine its IP ID sequence class and the current value it is using.
  2. Nmap then sends TCP SYN packets to various ports on the target, but spoofs the source address to be that of the Zombie.
  3. During the scan, Nmap continually probes the Zombie to find out how many packets it has sent. Expecting one packet per probe, if it finds that two packets have been sent, it can assume that the other one was a RST packet in response to the target's SYN/ACK, indicating an open port.

In version 6.45, Nmap added the ability to do Idle scans over IPv6. The technique is similar, but uses the IPv6 Fragmentation ID field instead. The technique was discovered by Mathias Morbitzer, and will be available in the next release of Nmap.

Decoy scans are a much-less-interesting technique. All packets originate from your scanning machine, but some have spoofed source addresses. Any replies to these spoofed sources will not arrive at your scanner, so they cannot be used to determine port states. This technique only serves to confuse port scan detection, and does not offer any information beyond a regular scan.

bonsaiviking
  • 11,316
  • 1
  • 27
  • 50
1

The scan techniques are explained very well in the nmap manual: Port Scanning Techniques

It is interesting to run Wireshark while you're running a port scan - you can see the exact packets being sent and received and learn how is really work.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • 1
    Or just run `nmap` with the `--packet-trace` flag... No need for wireshark. –  Nov 13 '13 at 03:29
  • run it on a target machine ? that's so cool, thanks for the tip. – code-8 Mar 30 '20 at 23:06
  • @cyber8200 - I meant run it on your local machine, but yeah, in a lab environment you can run it on the target too – paj28 Mar 31 '20 at 01:12