Idle Scanning With Nmap

[insanelycurioustake2]

I am trying to undertand idle scan in nmap. I feel a little stuck.

Here is what I have done so far:

nmap -PN -p- -sI zombie -r --packet-trace -v target

As part of the packet trace output, nmap tells me that it has send out packets to the zombie on port 80

SENT (0.1033s) TCP source:42615 > zombie:80 SA ttl=44 id=29903 iplen=44 seq=18063 win=1024 <mss 1460>

but nmap complains it did not recieve any reply from the zombie

Idle scan zombie port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.

I did a syn scan on the zombie which tells me port 80 is open.

I am in a deeply confused state now. Can anyone think of some possible explaination of this behaviour?

[digip]

It may block specific icmp packets, but not smart enough to block the syn? Not sure, just hit it with a bunch of scans, see what it does. It could be, that its a honeyport, and returns data to make you think its open, when really, its sending you garbage data and then going to block you in its firewall or iptables. That is of course unless its your own machines you are testing in lab, but some people setup fake ports to respond certain ways, when in reality, no service is on the port. If 80 is open, you should be able to open yoru browser and point to the address with http and a web page should appear. Thats 1 quick way to know for sure. You can also manually change ports over http, most browsers are compliant to banner grab even non standard ports adn return whatever it send back, ie: http://127.0.0.1:22/ on some site would return the version of SSH running. You can also telnet to the same port and see if it gets an open connection. if it dies immediately, its probably a honeyport.

[Jason Cooper]

Have you read the nmap book section on using an Idle scan? There general advice is if one zombie doesn't work try a few different ones as you are looking for a very specific network stack configuration for a zombie. They suggest printers and other small network attached devices, the sort of things with limited resources (I suspect that NAS boxes would also make a good zombie these days).

[Mozamme Hosen Faraizi]

i have used this command for learn ideal scan

nmap -sI 192.168.1.1 -T4 -v -Pn 172.16.1.2

192.168.1.1 = zombie IP ---------- right?

172.16.1.2 = destination IP ------------ right ?

why this message " Idle scan zombie 192.168.1.1 (192.168.1.1) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.
QUITTING!" ?

why this message "Host discovery disabled (-Pn)." ?

 

please help me

[dark_pyrro]

I guess the users in this thread won't answer you since it's over 9 years old and users in it haven't been active for years either.

What zombie are you using?

What parts of the nmap documentation have you read? -Pn says "Host discovery disabled" because that is what that option does; disables host discovery. It doesn't "ping" but considers all hosts/IP addresses as "up"/alive.