IdleScan (-sI <zombie host:[probeport]>)
Requires Privileged Access: YES
Identifies TCP Ports: YES
Identifies UDP Ports: NO

Nmap's idlescan is an ingenious way of scanning a remote device. Nmap uses idlescan to gather port information using another station on the network, and it will appear that the scanning process is initiated from this third-party IP address instead of the nmap station. Although this seems complex, it's a simple process of examining IP fragmentation identification sequences and implementing IP address spoofing.

Idlescan Operation
Before launching an idlescan, a "zombie" station must be identified. This third station will be the pivot point of the idlescan. There are two important requirements associated with this station:
  • The unsuspecting zombie station must be idle (thus the name "idlescan"). The idlescan needs an idle zombie workstation to ensure that the IP identification frames will remain consistent throughout the duration of the scan.

  • The zombie station must provide consistent and predictable IP identification (IPID) values. If the operating system of the zombie does not provide predictable IPIDs, nmap will provide an warning before the scan begins:

  •       WARNING: Idlescan has erroneously detected phantom ports -- is the proxy
 ( really idle?
    If the scan cannot complete because of too many inconsistencies, nmap provides a final error message:
          Idlescan is unable to obtain meaningful results from proxy
          (  I'm sorry it didn't work out.

The target of the scan can be any system. These two requires requirements are only associated with zombie station.

To begin the idlescan process, nmap first sends a SYN/ACK to the zombie workstation to induce a RST in return. This RST frame contains the initial IPID that nmap will remember for later.

Source         Destination    Summary 
[]  []  IP:  D=[] S=[] LEN=20 ID=26267
[]  []  IP:  D=[] S=[] LEN=20 ID=1033 <--
Nmap now sends a SYN frame to the destination address, but nmap spoofs the IP address to make it seem as if the SYN frame was sent from the zombie workstation. If this SYN frame is sent to one of the destination's open ports, the destination address will respond with a SYN/ACK to the previously-spoofed zombie workstation. The zombie workstation won't be expecting the SYN/ACK (after all, it never really sent the SYN), so the zombie will respond to the destination station with a RST. The RST response will, as expected, increment the zombie's IPID.

Source        Destination   Summary
[] [] TCP: D=135 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[] [] TCP: D=80 S=135 SYN ACK=3699814102 SEQ=2088485221 LEN=0 WIN=65535
[] [] TCP: D=135 S=80 RST WIN=0 / IP: ID=1034 <--
The final step in the idlescan is for nmap to repeat the original SYN/ACK probe of the zombie station. If the IPID has incremented, then the port that was spoofed in the original SYN frame is open on the destination device. If the IPID has not incremented, then the port is not open.

Source        Destination   Summary
[] [] IP:  D=[] S=[] LEN=20 ID=11144
[] [] IP:  D=[] S=[] LEN=20 ID=1035 <--
This nmap output shows the results of the idlescan. One of the first messages from nmap is a warning that the nmap station will perform a ping to the destination device unless the –P0 parameter is specified. If it's important to minimize network visibility, the –P0 suggestion is a good idea!
# nmap -v -sI
WARNING: Many people use -P0 w/Idlescan to prevent pings from their true IP.  On the 
other hand, timing info Nmap gains from pings can allow for faster, more
reliable scans.

Starting nmap 3.81 ( ) at 2005-04-24 15:25 EDT
Idlescan using zombie (; Class: Incremental
Initiating Idlescan against
Discovered open port 135/tcp on
Discovered open port 6969/tcp on
Discovered open port 445/tcp on
Discovered open port 139/tcp on
The Idlescan took 9 seconds to scan 1663 ports.
Host appears to be up ... good.
Interesting ports on
(The 1659 ports scanned but not shown below are in state: closed|filtered)
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
6969/tcp open  acmsoda
MAC Address: 00:11:43:43:A8:34 (Dell   (WW Pcba Test))

Nmap finished: 1 IP address (1 host up) scanned in 12.629 seconds
               Raw packets sent: 3743 (150KB) | Rcvd: 191 (8786B)