Secrets of Network Cartography - Deconstructing the Idlescan Process

Deconstructing the Idlescan Process
The basic idlescan operation shown earlier described the scan occurring one port at a time, but nmap knows that most ports will be closed. To improve efficiency, nmap begins scanning multiple ports simultaneously.

Scanning the First Thirty Ports
Nmap spoofs the zombie IP address and sends a block of 30 random port numbers to the destination station. To help visualize the idlescan process, this graphic will represent these thirty initially scanned ports:

sI_blocks_1

Source         Destination    Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=443 S=80 SYN SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=256 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=554 S=80 SYN SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.5] [192.168.0.7] TCP: D=80 S=443 RST ACK=3699814102 WIN=0
[192.168.0.5] 192.168.0.7]  TCP: D=80 S=256 RST ACK=3699814102 WIN=0
[192.168.0.5] 192.168.0.7]  TCP: D=80 S=554 RST ACK=3699814102 WIN=0
[192.168.0.7] [192.168.0.5] TCP: D=389 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=3389 S=80 SYN SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=80 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=53 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=25 S=80 SYN SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=21 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=113 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=23 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=636 S=80 SYN SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=22 S=80 SYN SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=1723 S=80 SYN SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=921 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=546 S=80 SYN SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=624 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=188 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=6146 S=80 SYN SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=7007 S=80 SYN SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=1436 S=80 SYN SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=1234 S=80 SYN SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=808 S=80 SYN SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=665 S=80 SYN SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=790 S=80 SYN SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=873 S=80 SYN SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=717 S=80 SYN SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=185 S=80 SYN SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=569 S=80 SYN SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.5] [192.168.0.7] TCP: D=80 S=389 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=3389 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=80 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=53 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=25 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=21 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=113 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=23 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=636 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=22 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1723 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=921 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=546 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=624 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=188 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=6146 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=7007 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=135 SYN ACK=3699814102 SEQ=2088485221 LEN=0 WIN=65535
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1436 RST ACK=3699814102 WIN=0
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 RST WIN=0 / IP: ID=1034 <--
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1234 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=808 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=665 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=790 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=873 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=717 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=185 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=569 RST ACK=3699814102 WIN=0

Nmap then sends two SYN/ACK frames to the zombie and checks the resulting IPIDs.

sI_first30_2

Source         Destination    Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62727 SYN ACK=3093618703 SEQ=717491703 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.8] TCP: D=62727 S=80 RST WIN=0 / IP: ID=1035 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62767 SYN ACK=3093618703 SEQ=717492203 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.8] TCP: D=62767 S=80 RST WIN=0 / IP: ID=1036 <--

Nmap can tell from the IPID change that one of the ports sent in that first group of thirty was open!

Now that the IPID has changed, nmap rewinds its scan process and begins scanning the same port numbers again, but in smaller groups. Since nmap started with a group of 30, it separates that list in half and begins the scanning process again:

sI_first30_3

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=443 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=256 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=554 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=389 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.5] [192.168.0.7] TCP: D=80 S=443 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=256 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=554 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=389 RST ACK=3699814102 WIN=0
[192.168.0.7] [192.168.0.5] TCP: D=3389 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=80 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=53 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=25 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=21 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=113 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=23 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=636 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=22 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=1723 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=921 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.5] [192.168.0.7] TCP: D=80 S=3389 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=80 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=53 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=25 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=21 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=113 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=23 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=636 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=22 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1723 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=921 RST ACK=3699814102 WIN=0

After these 15 ports are scanned, nmap checks the IPID again:

sI_first30_4

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62748 SYN ACK=3093618703 SEQ=717492703 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.8] TCP: D=62748 S=80 RST WIN=0 / IP: IPID=1037 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62849 SYN ACK=3093618703 SEQ=717493203 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.8] TCP: D=62849 S=80 RST WIN=0 / IP: IPID=1038 <--

The IPID didn't change, so nmap knows that the open port must be one of the remaining 15 ports. However, nmap isn't as efficient as it could be. Instead of splitting apart these remaining 15 ports, it checks all of them!

sI_first30_5

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=546 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=624 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=188 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=6146 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.5] [192.168.0.7] TCP: D=80 S=546 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=624 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=188 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=6146 RST ACK=3699814102 WIN=0
[192.168.0.7] [192.168.0.5] TCP: D=7007 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=1436 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=1234 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=808 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.5] [192.168.0.7] TCP: D=80 S=7007 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=135 SYN ACK=3699814102 SEQ=2088563926 LEN=0 WIN=65535
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1436 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1234 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=808 RST ACK=3699814102 WIN=0
[192.168.0.7] [192.168.0.5] TCP: D=665 S=80 SYN (Retransmission of Frame 60) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=790 S=80 SYN (Retransmission of Frame 61) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=873 S=80 SYN (Retransmission of Frame 62) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=717 S=80 SYN (Retransmission of Frame 63) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=185 S=80 SYN (Retransmission of Frame 64) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=569 S=80 SYN (Retransmission of Frame 65) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.5] [192.168.0.7] TCP: D=80 S=665 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=790 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=873 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=717 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=185 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=569 RST ACK=3699814102 WIN=0
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 RST WIN=0 / IP: IPID=1039 <--

Nmap checks the IPIDs to determine if the open port was in that last batch. Of course, we've already determined it's there:

sI_first30_6

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62803 SYN ACK=3093618703 SEQ=717493703 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.8] TCP: D=62803 S=80 RST WIN=0 / IP: IPID=1040 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62962 SYN ACK=3093618703 SEQ=717494203 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.8] TCP: D=62962 S=80 RST WIN=0 / IP: IPID=1041 <--

Having clearly identified the group containing the mystery port, nmap begins the divide and conquer process again. This time, the list is split into a group of eight ports and another group containing seven ports. The group of eight ports is the first group to check:

sI_first30_7

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=546 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=624 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=188 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=6146 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=7007 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=1436 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=1234 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.5] [192.168.0.7] TCP: D=80 S=546 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=624 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=188 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=6146 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=7007 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=135 SYN ACK=3699814102 SEQ=2088591538 LEN=0 WIN=65535
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1436 RST ACK=3699814102 WIN=0
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 RST WIN=0 / IP: IPID=1042 <--
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1234 RST ACK=3699814102 WIN=0

Nmap performs the normal IPID check for any changes:
sI_first30_8

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62867 SYN ACK=3093618703 SEQ=717494703 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.8] TCP: D=62867 S=80 RST WIN=0 / IP: IPID=1043 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62735 SYN ACK=3093618703 SEQ=717495203 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.8] TCP: D=62735 S=80 RST WIN=0 / IP: IPID=1044 <--

The IPID incremented, so nmap knows the port is in the block of eight ports. Nmap now breaks this into two groups of four ports, and scans the first four:
sI_first30_9

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=546 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=624 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=188 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=6146 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.5] [192.168.0.7] TCP: D=80 S=546 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=624 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=188 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=6146 RST ACK=3699814102 WIN=0

The IPID is checked for any changes, but it hasn't incremented since the last check:
sI_first30_10

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62884 SYN ACK=3093618703 SEQ=717495703 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.8] TCP: D=62884 S=80 RST WIN=0 / IP: IPID=1045 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62919 SYN ACK=3093618703 SEQ=717496203 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.8] TCP: D=62919 S=80 RST WIN=0 / IP: IPID=1046 <--

After hundreds of frames, nmap has now narrowed down the open port to these last four possibilities. Instead of separating this group of four ports into a smaller query, nmap not-so-efficiently queries all four of the remaining ports:

sI_first30_11

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=7007 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=1436 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=1234 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.5] [192.168.0.7] TCP: D=80 S=7007 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=135 SYN ACK=3699814102 SEQ=2088668207 LEN=0 WIN=65535
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1436 RST ACK=3699814102 WIN=0
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 RST WIN=0 / IP: IPID=1047 <--
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1234 RST ACK=3699814102 WIN=0

As expected, the IPID increments to confirm that the mystery port is contained in that last group of four ports:

sI_first30_12

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62938 SYN ACK=3093618703 SEQ=717496703 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.8] TCP: D=62938 S=80 RST WIN=0 / IP: IPID=1048 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62834 SYN ACK=3093618703 SEQ=717497203 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.8] TCP: D=62834 S=80 RST WIN=0 / IP: IPID=1049 <--

Nmap finally separates the four ports into two groups of two ports each and begins scanning the first two ports:

sI_first30_13

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=7007 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.5] [192.168.0.7] TCP: D=80 S=7007 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=135 SYN ACK=3699814102 SEQ=2088695447 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 RST WIN=0 / IP: IPID=1050 <--

The IPID check occurs again, and nmap discovers that the mystery open port is one of those two ports:

sI_first30_14

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62729 SYN ACK=3093618703 SEQ=717497703 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.8] TCP: D=62729 S=80 RST WIN=0 / IP: IPID=1051 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62937 SYN ACK=3093618703 SEQ=717498203 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.8] TCP: D=62937 S=80 RST WIN=0 / IP: IPID=1052 <--

We're down to two possible options, so nmap checks the first port:

sI_first30_15

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=7007 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.5] [192.168.0.7] TCP: D=80 S=7007 RST ACK=3699814102 WIN=0

The resulting IPID check shows that the mystery port was not port 7007:

sI_first30_16

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62873 SYN ACK=3093618703 SEQ=717498703 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.8] TCP: D=62873 S=80 RST WIN=0 / IP: IPID=1053 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62737 SYN ACK=3093618703 SEQ=717499203 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.8] TCP: D=62737 S=80 RST WIN=0 / IP: IPID=1054 <--

At this point, there's one port remaining from the original thirty. Unfortunately, nmap's logic for idlescan doesn't recognize that there's only one choice remaining. So, nmap goes through the unnecessary motions of checking the final port:

sI_first30_17

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 SYN (Retransmission of Frame 56) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.5] [192.168.0.7] TCP: D=80 S=135 SYN ACK=3699814102 SEQ=2088767793 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.5] TCP: D=135 S=80 RST WIN=0 / IP: IPID=1055 <--

Unlike previous IPID checks, nmap only sends a single SYN/ACK for this IPID check. This is another inconsistency in the IPID process:

sI_first30_18

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62782 SYN ACK=3093618703 SEQ=717499703 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.8] TCP: D=62782 S=80 RST WIN=0 / IP: IPID=1056 <--

Finally, nmap has identified the single open port from the original group of thirty ports. Logically, nmap should continue to the next group of thirty ports and work through this same process. However, that's not what happens.

Remember when the group of four ports was split into two groups of two ports? Those other two ports were never scanned. Although it's now obvious that nmap has already found the open port, nmap still feels compelled to check those other two ports:

sI_first30_19

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=1436 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=1234 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1436 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=1234 RST ACK=3699814102 WIN=0

The IPID check shows that the open port wasn't in the last group, but we knew that already. Notice that nmap has returned to using two SYN/ACK packets to check the IPID:

sI_first30_20

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62875 SYN ACK=3093618703 SEQ=717500203 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.8] TCP: D=62875 S=80 RST WIN=0 / IP: IPID=1057 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62729 SYN ACK=3093618703 SEQ=717500703 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.8] TCP: D=62729 S=80 RST WIN=0 / IP: IPID=1058 <--

Although the open port was identified a few IPID checks ago, nmap remembers that there are still seven ports that haven't been scanned. Although it's not necessary at this point, nmap insists on scanning these ports:

sI_first30_21

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.5] TCP: D=808 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=665 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=790 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.5] TCP: D=873 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.5] TCP: D=717 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.5] TCP: D=185 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.5] TCP: D=569 S=80 SYN (Retransmission) SEQ=3699814101 LEN=0 WIN=3072
[192.168.0.5] [192.168.0.7] TCP: D=80 S=808 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=665 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=790 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=873 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=717 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=185 RST ACK=3699814102 WIN=0
[192.168.0.5] [192.168.0.7] TCP: D=80 S=569 RST ACK=3699814102 WIN=0

Obviously, this IPID check shows that these last seven ports weren't open:

sI_first30_22

Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62726 SYN ACK=3093618703 SEQ=717501203 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.8] TCP: D=62726 S=80 RST WIN=0 / IP: IPID=1059 <--
[192.168.0.8] [192.168.0.7] TCP: D=80 S=62763 SYN ACK=3093618703 SEQ=717501703 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.8] TCP: D=62763 S=80 RST WIN=0 / IP: IPID=1060 <--

Finally, it's over. The first thirty ports have been scanned, and now nmap groups together another thirty random ports and repeats the process again until all of the ports have been checked.

Network Uptime

You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap

Network Uptime

You are reading:Secrets of Network Cartography: A Comprehensive Guide to nmap

You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap