1
00:00:00,330 --> 00:00:08,430
Idle scan as an advance scan method that allows for a truly blind TCP port scan of the target. Truly blind

2
00:00:08,430 --> 00:00:14,150
TCP port scan means no packets are sent to the target from your real IP address.

3
00:00:14,370 --> 00:00:23,310
Instead, a unique side channel attack exploits predictable IP fragmentation ID sequence generation on

4
00:00:23,310 --> 00:00:30,300
the zombie host to gather information about the open ports on the target. IDS systems will display the

5
00:00:30,300 --> 00:00:32,570
scan as coming from the zombie machine

6
00:00:32,570 --> 00:00:41,410
you specify. The idle scan is based on the following three facts. As you already know.

7
00:00:41,600 --> 00:00:47,810
One way to determine whether TCP port is open is to send a SYN packet to the port. The target machine

8
00:00:47,810 --> 00:00:49,880
will respond with a SYN/ACK.

9
00:00:50,030 --> 00:00:57,050
If the port is open and RST if the port is closed. A machine that receives an unexpected SYN/ACK packet

10
00:00:57,260 --> 00:01:01,880
will respond with a RST and unexpected RST will be ignored.

11
00:01:02,940 --> 00:01:10,740
Every IP packet on the Internet has a fragment identification number IP ID. Since many operating systems

12
00:01:10,740 --> 00:01:17,670
simply increment this number for each packet they send. Probing for the IP ID can tell an attacker how

13
00:01:17,670 --> 00:01:22,410
many packets have been sent since the last probe.

14
00:01:22,410 --> 00:01:27,430
So first let's see what happens in an idle scan if the target board is open.

15
00:01:27,460 --> 00:01:35,060
The first step is to probe the IP ID of the zombie system. The attacker sends a SYN/ACK to the zombie.

16
00:01:36,410 --> 00:01:41,940
Since the zombie does not expect the packet, it sends back a RST with an IP ID.

17
00:01:41,940 --> 00:01:46,370
The second step is to forge a SYN packet from the zombie to the target system.

18
00:01:47,300 --> 00:01:53,800
The target sends a SYN/ACK in response to SYN and that appears to come from the zombie. Since the zombie

19
00:01:53,800 --> 00:01:56,800
does not expect the packet, it sends back a RST.

20
00:01:56,830 --> 00:02:05,570
And so it increments its IP ID and the process. Third step is to probe the zombie's IP ID again. The attacker

21
00:02:05,570 --> 00:02:06,460
sends a SYN/ACK

22
00:02:06,500 --> 00:02:13,210
to zombie again the RST packet of the Zombie has an IP ID which is increased by two since the first

23
00:02:13,210 --> 00:02:13,510
step.

24
00:02:13,510 --> 00:02:15,290
So the port is open.

25
00:02:15,430 --> 00:02:20,290
Now lets see what happens in an idle scan if the target board is closed.

26
00:02:20,350 --> 00:02:24,110
The first step is to probe the IP ID of the zombie system.

27
00:02:24,130 --> 00:02:30,070
The attacker sends a SYN/ACK to the zombie. Since the zombie does not expect the packet it sends back

28
00:02:30,130 --> 00:02:32,950
a RST with an IP ID.

29
00:02:32,950 --> 00:02:38,320
The second step is to forge a SYN packet from the zombie to the target system. The target sends a

30
00:02:38,320 --> 00:02:44,770
RST because the port is closed in response to SYN and that appears to come from the Zombie. The zombie

31
00:02:44,770 --> 00:02:46,550
ignores the unexpected risks.

32
00:02:46,630 --> 00:02:49,570
So its IP ID does not change.

33
00:02:49,930 --> 00:02:54,220
Third step is to probe the zombie's IP ID again.

34
00:02:54,220 --> 00:02:57,420
The attacker sends a SYN/ACK to the zombie again.

35
00:02:57,660 --> 00:03:03,790
The RST packet of the Zombie has an IP ID which is increased by only 1 since the first step.

36
00:03:03,790 --> 00:03:07,790
So the board is not open, you follow.

37
00:03:08,200 --> 00:03:10,320
So then, here's the last one.

38
00:03:10,690 --> 00:03:14,070
Let's see what happens in an idle scan if the target port is filtered.

39
00:03:14,320 --> 00:03:21,670
The first step is to probe IP ID of the zombie system. The attacker sends a SYN/ACK to the zombie. Since

40
00:03:21,680 --> 00:03:26,530
the zombie does not expect the packet it sends back a RST with an IP ID.

41
00:03:26,540 --> 00:03:32,010
The second step is to forge a SYN packet from the zombie to the target system.

42
00:03:32,310 --> 00:03:37,800
The target filtering its port, ignores this SYN that appears to come from the zombie.

43
00:03:37,870 --> 00:03:45,200
The zombie is unaware that anything happened so its IP ID remains the same. Third step is to probe the

44
00:03:45,230 --> 00:03:46,850
zombies IP ID again.

45
00:03:47,160 --> 00:03:49,580
The attacker sends a SYN/ACK to the zombie again.

46
00:03:50,750 --> 00:03:56,680
The RST packet of the zombie has an IP ID which has increased by only 1 since the first step.

47
00:03:56,700 --> 00:03:58,830
So the port is not open.

48
00:03:58,830 --> 00:04:05,010
So from the attackers point of view the filtered port is indistinguishable from a closed port.

49
00:04:05,040 --> 00:04:10,100
You see why, in both cases the IP ID is increased by only one.

50
00:04:10,560 --> 00:04:15,800
So lets have an idle scan. To be able to perform an idle scan,

51
00:04:15,800 --> 00:04:22,390
we first need to have a zombie computer on the network which has incremental IP ID sequencing. Hopefully,

52
00:04:22,390 --> 00:04:27,390
we have an unmap script to help us find the computer appropriate to become a zombie.

53
00:04:27,410 --> 00:04:32,780
I know the name of the script starts with “ipid”, and put a star now.

54
00:04:32,920 --> 00:04:34,980
Here is the script, ipidseq.nse

55
00:04:35,010 --> 00:04:49,020
To use the script, type “nmap -­script ipidseq” and now our IP block, 172.16.99.0/24

56
00:04:49,090 --> 00:04:53,920
To keep it simple, let’s scan just the top 2 ports

57
00:04:57,760 --> 00:04:59,010
and here are the results.

58
00:04:59,050 --> 00:04:59,860
So let's analyze them

59
00:05:03,710 --> 00:05:04,320
99.1

60
00:05:04,340 --> 00:05:06,500
is my host system.

61
00:05:06,590 --> 00:05:07,170
It’s a Mac

62
00:05:07,180 --> 00:05:10,670
and as you see, IP ID is randomised

63
00:05:10,880 --> 00:05:13,570
99.2 is the gateway of my virtual LAN

64
00:05:13,580 --> 00:05:17,300
and yes, it has incremental ID sequencing!

65
00:05:17,300 --> 00:05:19,280
It can be used as the zombie system.

66
00:05:19,350 --> 00:05:24,710
99.139 is a Linux system,

67
00:05:24,860 --> 00:05:37,200
its IP ID sequence is all zero. 99.206 is our target, Metasploitable. 99.222 is our Kali machine.

68
00:05:37,560 --> 00:05:40,290
It's IP IDs sequence is incremental.

69
00:05:40,290 --> 00:05:46,050
So it's actually another zombie candidate but it's already the attacker itself. So it doesn’t make sense

70
00:05:46,050 --> 00:05:47,450
to use it as zombie :)

71
00:05:47,670 --> 00:05:51,170
But I understand yes it might be fun.

72
00:05:52,520 --> 00:05:59,690
Right Now, we’re going to use 99.2 as the zombie

73
00:05:59,740 --> 00:06:07,840
So here's the unmap idle scan query. -sI do idle scan. Now put the IP address of the zombie.

74
00:06:08,090 --> 00:06:13,580
I want to use my host machine first which has a randomized IP ID sequence.

75
00:06:13,810 --> 00:06:23,790
Not necessarily but I think it's a good habit.  -Pn and n target systems IP.

76
00:06:23,870 --> 00:06:28,970
So as you see Nmap says the zombie's IP ID sequence class is randomized.

77
00:06:29,090 --> 00:06:31,960
So we should find another system.

78
00:06:32,030 --> 00:06:37,750
So we think about using a zombie system with an all zeros IP ID sequence class.

79
00:06:38,330 --> 00:06:41,110
As you see again it's just not suitable to be a zombie.

80
00:06:42,070 --> 00:06:48,090
Now is it time to use this system which has an incremental IP ID sequence class.

81
00:06:48,100 --> 00:06:58,050
So again to keep it simple I'll just scan the top three and yes scan is completed successfully. To compare

82
00:06:58,050 --> 00:06:58,810
the results

83
00:06:58,860 --> 00:07:06,810
I'd like to have a SYN scan in another terminal screen with the same conditions. Ports 23 and 80 are open

84
00:07:06,810 --> 00:07:10,460
on both scans. According to SYN scan

85
00:07:10,460 --> 00:07:12,770
Port 443 is closed.

86
00:07:12,980 --> 00:07:17,810
Now we know that the Idle scan cannot distinguish the closed port from the filtered port.

87
00:07:17,870 --> 00:07:22,420
It flagged port 443 as closed or filtered.

88
00:07:22,440 --> 00:07:26,140
So let's run the last query with -reason option again

89
00:07:30,900 --> 00:07:36,960
as you see ports 23 and 80 are flagged as open because ip ID has changed.

90
00:07:36,990 --> 00:07:43,500
Each time since the IP ID has not changed report 443 its flag disclosed or filtered.