insanelycurioustake2 Posted September 25, 2012 Share Posted September 25, 2012 I am trying to undertand idle scan in nmap. I feel a little stuck. Here is what I have done so far: nmap -PN -p- -sI zombie -r --packet-trace -v target As part of the packet trace output, nmap tells me that it has send out packets to the zombie on port 80 SENT (0.1033s) TCP source:42615 > zombie:80 SA ttl=44 id=29903 iplen=44 seq=18063 win=1024 <mss 1460> but nmap complains it did not recieve any reply from the zombie Idle scan zombie port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled. I did a syn scan on the zombie which tells me port 80 is open. I am in a deeply confused state now. Can anyone think of some possible explaination of this behaviour? Quote Link to comment Share on other sites More sharing options...
digip Posted September 25, 2012 Share Posted September 25, 2012 It may block specific icmp packets, but not smart enough to block the syn? Not sure, just hit it with a bunch of scans, see what it does. It could be, that its a honeyport, and returns data to make you think its open, when really, its sending you garbage data and then going to block you in its firewall or iptables. That is of course unless its your own machines you are testing in lab, but some people setup fake ports to respond certain ways, when in reality, no service is on the port. If 80 is open, you should be able to open yoru browser and point to the address with http and a web page should appear. Thats 1 quick way to know for sure. You can also manually change ports over http, most browsers are compliant to banner grab even non standard ports adn return whatever it send back, ie: http://127.0.0.1:22/ on some site would return the version of SSH running. You can also telnet to the same port and see if it gets an open connection. if it dies immediately, its probably a honeyport. Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted September 25, 2012 Share Posted September 25, 2012 Have you read the nmap book section on using an Idle scan? There general advice is if one zombie doesn't work try a few different ones as you are looking for a very specific network stack configuration for a zombie. They suggest printers and other small network attached devices, the sort of things with limited resources (I suspect that NAS boxes would also make a good zombie these days). Quote Link to comment Share on other sites More sharing options...
Mozamme Hosen Faraizi Posted February 20, 2022 Share Posted February 20, 2022 i have used this command for learn ideal scan nmap -sI 192.168.1.1 -T4 -v -Pn 172.16.1.2 192.168.1.1 = zombie IP ---------- right? 172.16.1.2 = destination IP ------------ right ? why this message " Idle scan zombie 192.168.1.1 (192.168.1.1) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled. QUITTING!" ? why this message "Host discovery disabled (-Pn)." ? please help me Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 20, 2022 Share Posted February 20, 2022 I guess the users in this thread won't answer you since it's over 9 years old and users in it haven't been active for years either. What zombie are you using? What parts of the nmap documentation have you read? -Pn says "Host discovery disabled" because that is what that option does; disables host discovery. It doesn't "ping" but considers all hosts/IP addresses as "up"/alive. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.