Advantages of Idlescan
Idlescan's method of spoofing IP addresses and checking IPIDs allows nmap to find open ports from a distance, even if packet filters are in place! Nmap simply requires any open port to a zombie workstation to complete the communication process.

One of the largest advantages of idlescan is the stealth factor. A destination station will never see the IP address of the nmap station!


Disadvantages of Idlescan
Idlescan only locates ports. Idlescan can't provide any application version information or operating system fingerprinting.

The zombie must be an idle station, and that's difficult to know for sure. Often, many different devices will be tested with idlescan before an appropriate idle station is identified.

The divide-and-conquer method of idlescan's bulk processing means that there will be more network traffic than a normal port scan. In most cases, many ports will be scanned more than once. The idlescan logic also scans more ports than necessary, inefficiently using network bandwidth and extending the scanning time.


Although Idlescan spoofs the IP address of the zombie, this method of invisibility isn't helpful if all of the devices are on the same IP subnet. Since the MAC address of the nmap station isn't modified, a sharp eye can pick the spoofed address out of a network trace. To maintain the stealth-factor, the nmap station and the destination should be on separate IP subnets.

Idlescan requires privileged access to create the spoofed IP frames. Without privileged access, this scan will not run.


When to use Idlescan Idlescan allows the nmap station to remain hidden from the remote station. If invisibility is important, idlescan can provide a bit of cover while poking around the network.

Since idlescan only needs a single port to a zombie workstation, it's relatively simple to scan inside of a protected network using the zombie as a scanning proxy. This also allows nmap to check trust relationships inside an internal network without requiring direct communication between the devices.

Fyodor has written a fantastic idlescan and IPID white paper, located at:

http://www.insecure.org/nmap/idlescan.html


clock
Idlescan has the potential to extract a lot of information about your network, in spite of your packet-filters! If you are concerned about idlescan extracting information through your firewall, use the operating system fingerprinting option (-O) to test the IPID predictability of your systems.