IdleScan (-sI <zombie host:[probeport]>)
Requires Privileged Access: YES
Identifies TCP Ports: YES
Identifies UDP Ports: NO

Nmap's idlescan is an ingenious way of scanning a remote device. Nmap uses idlescan to gather port information using another station on the network, and it will appear that the scanning process is initiated from this third-party IP address instead of the nmap station. Although this seems complex, it's a simple process of examining IP fragmentation identification sequences and implementing IP address spoofing.


Idlescan Operation
Before launching an idlescan, a "zombie" station must be identified. This third station will be the pivot point of the idlescan. There are two important requirements associated with this station:
  • The unsuspecting zombie station must be idle (thus the name "idlescan"). The idlescan needs an idle zombie workstation to ensure that the IP identification frames will remain consistent throughout the duration of the scan.


  • The zombie station must provide consistent and predictable IP identification (IPID) values. If the operating system of the zombie does not provide predictable IPIDs, nmap will provide an warning before the scan begins:

  •       WARNING: Idlescan has erroneously detected phantom ports -- is the proxy
          192.168.0.7 (192.168.0.7) really idle?
          
    If the scan cannot complete because of too many inconsistencies, nmap provides a final error message:
          Idlescan is unable to obtain meaningful results from proxy 192.168.0.7
          (192.168.0.7).  I'm sorry it didn't work out.
          QUITTING!
          

The target of the scan can be any system. These two requires requirements are only associated with zombie station.

To begin the idlescan process, nmap first sends a SYN/ACK to the zombie workstation to induce a RST in return. This RST frame contains the initial IPID that nmap will remember for later.

sI_basic_ipid_check
Source         Destination    Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.8] LEN=20 ID=26267
[192.168.0.7]  [192.168.0.8]  IP:  D=[192.168.0.8] S=[192.168.0.7] LEN=20 ID=1033 <--
Nmap now sends a SYN frame to the destination address, but nmap spoofs the IP address to make it seem as if the SYN frame was sent from the zombie workstation. If this SYN frame is sent to one of the destination's open ports, the destination address will respond with a SYN/ACK to the previously-spoofed zombie workstation. The zombie workstation won't be expecting the SYN/ACK (after all, it never really sent the SYN), so the zombie will respond to the destination station with a RST. The RST response will, as expected, increment the zombie's IPID.

sI_basic_spoof
Source        Destination   Summary
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.5] [192.168.0.7] TCP: D=80 S=135 SYN ACK=3699814102 SEQ=2088485221 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 RST WIN=0 / IP: ID=1034 <--
The final step in the idlescan is for nmap to repeat the original SYN/ACK probe of the zombie station. If the IPID has incremented, then the port that was spoofed in the original SYN frame is open on the destination device. If the IPID has not incremented, then the port is not open.

sI_basic_ipid_change
Source        Destination   Summary
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] IP:  D=[192.168.0.7] S=[192.168.0.8] LEN=20 ID=11144
[192.168.0.7] [192.168.0.8] IP:  D=[192.168.0.8] S=[192.168.0.7] LEN=20 ID=1035 <--
This nmap output shows the results of the idlescan. One of the first messages from nmap is a warning that the nmap station will perform a ping to the destination device unless the –P0 parameter is specified. If it's important to minimize network visibility, the –P0 suggestion is a good idea!
# nmap -v -sI 192.168.0.7 192.168.0.5
WARNING: Many people use -P0 w/Idlescan to prevent pings from their true IP.  On the 
other hand, timing info Nmap gains from pings can allow for faster, more
reliable scans.

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-24 15:25 EDT
Idlescan using zombie 192.168.0.7 (192.168.0.7:80); Class: Incremental
Initiating Idlescan against 192.168.0.5
Discovered open port 135/tcp on 192.168.0.5
Discovered open port 6969/tcp on 192.168.0.5
Discovered open port 445/tcp on 192.168.0.5
Discovered open port 139/tcp on 192.168.0.5
The Idlescan took 9 seconds to scan 1663 ports.
Host 192.168.0.5 appears to be up ... good.
Interesting ports on 192.168.0.5:
(The 1659 ports scanned but not shown below are in state: closed|filtered)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
6969/tcp open  acmsoda
MAC Address: 00:11:43:43:A8:34 (Dell   (WW Pcba Test))

Nmap finished: 1 IP address (1 host up) scanned in 12.629 seconds
               Raw packets sent: 3743 (150KB) | Rcvd: 191 (8786B)
#