How Idlescan REALLY Works
Although the basic idlescan process is outlined above, nmap's procedure is technically similar but dramatically modified to make the overall idlescan method more efficient. To increase efficiency, nmap handles the spoofing of the SYN frames and the checking of the zombie station's IPID using blocks of port numbers instead of one port at a time.


clock
The explanation that follows is a packet-by-packet description of an idlescan session captured from the network. This process is lengthy, but there are some interesting insights hidden deep within this packet decode. There are a few surprises found in the network trace that aren't visible in the final nmap output!




Idlescan Preparation
To check a prospective zombie workstation, nmap first sends a series of SYN/ACK frames and watches the RST responses to see if the IPIDs are incrementing consistently. At this point, the idlescan process hasn't yet communicated to the destination station.

sI_real_ipid_check

The trace file shows the IPID incrementing after a series of six SYN/ACK frames.
Source         Destination    Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.8] LEN=20 ID=51592
[192.168.0.7]  [192.168.0.8]  IP:  D=[192.168.0.8] S=[192.168.0.7] LEN=20 ID=1023 <--
[192.168.0.8]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.8] LEN=20 ID=12012
[192.168.0.7]  [192.168.0.8]  IP:  D=[192.168.0.8] S=[192.168.0.7] LEN=20 ID=1024 <--
[192.168.0.8]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.8] LEN=20 ID=29228
[192.168.0.7]  [192.168.0.8]  IP:  D=[192.168.0.8] S=[192.168.0.7] LEN=20 ID=1025 <--
[192.168.0.8]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.8] LEN=20 ID=50056
[192.168.0.7]  [192.168.0.8]  IP:  D=[192.168.0.8] S=[192.168.0.7] LEN=20 ID=1026 <--
[192.168.0.8]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.8] LEN=20 ID=36306
[192.168.0.7]  [192.168.0.8]  IP:  D=[192.168.0.8] S=[192.168.0.7] LEN=20 ID=1027 <--
[192.168.0.8]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.8] LEN=20 ID=61468
[192.168.0.7]  [192.168.0.8]  IP:  D=[192.168.0.8] S=[192.168.0.7] LEN=20 ID=1028 <--
Having successfully tested source-to-zombie communication, nmap then spoofs the IP address of the destination station and repeats the process four times. The trace file shows the "fake" 192.168.0.5 address communicating to the zombie and the zombie's response to the packet. Notice that the zombie's response goes to the REAL 192.168.0.5 workstation, not the spoofed address. The station that originally spoofed the IP address never sees the resulting frame:

sI_real_1
Source         Destination    Summary 
--------------------------------------------------------------------------------------
[192.168.0.5]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.5] LEN=20 ID=3940
[192.168.0.7]  [192.168.0.5]  IP:  D=[192.168.0.5] S=[192.168.0.7] LEN=20 ID=1029 <--  
[192.168.0.5]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.5] LEN=20 ID=38034
[192.168.0.7]  [192.168.0.5]  IP:  D=[192.168.0.5] S=[192.168.0.7] LEN=20 ID=1030 <--
[192.168.0.5]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.5] LEN=20 ID=9069
[192.168.0.7]  [192.168.0.5]  IP:  D=[192.168.0.5] S=[192.168.0.7] LEN=20 ID=1031 <--
[192.168.0.5]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.5] LEN=20 ID=30373
[192.168.0.7]  [192.168.0.5]  IP:  D=[192.168.0.5] S=[192.168.0.7] LEN=20 ID=1032 <--
Nmap doesn't know if the responses to these spoofs worked properly because it can't see the response to the spoofed packets. Nmap queries the zombie again for an update on the IPID:

sI_real_2
Source         Destination    Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.7]  IP:  D=[192.168.0.7] S=[192.168.0.8] LEN=20 ID=26267
[192.168.0.7]  [192.168.0.8]  IP:  D=[192.168.0.8] S=[192.168.0.7] LEN=20 ID=1033 <--
The IPID of 1033 matches the expected number! Now that this IPID analysis process is complete, nmap can begin scanning the destination station.