LabEx
Log InJoin Free

Perform Idle Scanning in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, you will learn how to perform idle scanning using Nmap. The lab guides you through the process of identifying a zombie host on a network using a ping scan (nmap -sn). This initial step helps discover active hosts, which is crucial for selecting a suitable zombie host for the idle scan.

The lab then demonstrates how to execute an idle scan (nmap -sI) against a target, using the identified zombie host. You'll explore options for increasing verbosity (-v), targeting specific ports (-p), and saving the scan results to a file (-oN). Finally, you'll analyze the results of the idle scan within the Xfce terminal.

Identify zombie host with nmap -sn 192.168.1.0/24

In this step, we will use nmap to discover live hosts on the network 192.168.1.0/24. This is a fundamental step in network scanning and reconnaissance. The -sn option in nmap performs a ping scan, which means it only tries to determine if hosts are up, without performing port scanning. This is useful for quickly identifying active hosts on a network.

Before we start, let's understand the command:

  • nmap: The network mapper tool.
  • -sn: This option tells Nmap to perform a ping scan (host discovery) only. It disables port scanning.
  • 192.168.1.0/24: This is the target network in CIDR notation. /24 means that the first 24 bits of the IP address are fixed, and the last 8 bits can vary, giving us a range of 256 IP addresses (192.168.1.1 to 192.168.1.254, excluding the network and broadcast addresses).

Now, let's execute the command. Open your Xfce terminal and type the following:

sudo nmap -sn 192.168.1.0/24

You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

The output will show the hosts that are up on the network. It might look something like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00023s latency).
Nmap scan report for 192.168.1.2
Host is up (0.00031s latency).
Nmap scan report for 192.168.1.100
Host is up (0.00045s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.50 seconds

This output indicates that 192.168.1.1, 192.168.1.2, and 192.168.1.100 are up on the network. The specific IP addresses that are up may vary in your environment. We will use 192.168.1.2 as the zombie host in the following steps, and 192.168.1.1 as the target.

Run idle scan with nmap -sI 192.168.1.2 192.168.1.1

In this step, we will perform an idle scan using nmap. Idle scan is an advanced scanning technique that allows you to scan a target without revealing your own IP address. It works by exploiting a "zombie" host to bounce the scan off of.

Here's how it works:

  1. Choose a Zombie Host: You need a host that is mostly idle and has predictable IP ID (IP Identification) sequence generation. In the previous step, we identified 192.168.1.2 as a potential zombie host.
  2. Send a SYN-ACK to the Zombie: Nmap sends a SYN-ACK packet to the zombie host. The zombie host will respond with an RST packet if it wasn't expecting the SYN-ACK, incrementing its IP ID.
  3. Send a SYN to the Target via the Zombie: Nmap crafts a SYN packet destined for the target host, but spoofs the source IP address to be the zombie host's IP address.
  4. Analyze the Zombie's IP ID:
    • If the target host's port is closed, it will respond with an RST packet to the zombie. The zombie's IP ID will increment by one.
    • If the target host's port is open, it will respond with a SYN-ACK packet to the zombie. The zombie will then send an RST packet back to the target (since it didn't initiate the connection). The zombie's IP ID will increment by two.
  5. Determine Port Status: By observing the changes in the zombie's IP ID, Nmap can determine whether the target port is open or closed.

Now, let's execute the idle scan command. Open your Xfce terminal and type the following:

sudo nmap -sI 192.168.1.2 192.168.1.1

Here's a breakdown of the command:

  • nmap: The network mapper tool.
  • -sI 192.168.1.2: This option specifies the idle scan and sets 192.168.1.2 as the zombie host.
  • 192.168.1.1: This is the target host that we want to scan.

You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

The output will show the open ports on the target host (192.168.1.1), as determined by the idle scan. The results might look something like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Idle scan using zombie 192.168.1.2 (192.168.1.2:80); Class: Incremental
Nmap scan report for 192.168.1.1
Host is up (0.00029s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 15.23 seconds

This output indicates that ports 22 (SSH) and 80 (HTTP) are open on the target host 192.168.1.1. Note that the specific open ports may vary depending on the target system's configuration.

Add verbosity with nmap -v -sI 192.168.1.2 192.168.1.1

In this step, we will add verbosity to the idle scan command from the previous step. Verbosity in nmap provides more detailed information about the scan process, which can be helpful for understanding what's happening and troubleshooting any issues.

The -v option increases the verbosity level. You can use it multiple times (e.g., -vv or -vvv) for even more detailed output. For this lab, we'll use a single -v.

Let's execute the command with verbosity. Open your Xfce terminal and type the following:

sudo nmap -v -sI 192.168.1.2 192.168.1.1

Here's a breakdown of the command:

  • nmap: The network mapper tool.
  • -v: This option increases the verbosity level.
  • -sI 192.168.1.2: This option specifies the idle scan and sets 192.168.1.2 as the zombie host.
  • 192.168.1.1: This is the target host that we want to scan.

You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

The output will be more detailed than the previous idle scan. It will show information about the packets being sent, the IP ID values of the zombie host, and the reasoning behind the port status determination. The output might look something like this (the exact output will vary):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
NSE: Loaded 0 scripts for scanning.
Initiating Idle scan for 192.168.1.1
Scanning 192.168.1.1 [1000 ports]
Idle scan using zombie 192.168.1.2 (192.168.1.2:80); Class: Incremental
Sending TCP SYN to 192.168.1.1:22
Got SYN-ACK from 192.168.1.1:22
PORT   STATE SERVICE
22/tcp open  ssh
Sending TCP SYN to 192.168.1.1:80
Got SYN-ACK from 192.168.1.1:80
PORT   STATE SERVICE
80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 16.54 seconds

The verbose output provides insights into the scanning process, making it easier to understand how the idle scan works and to diagnose any potential problems.

Scan specific port with nmap -sI 192.168.1.2 -p 80 192.168.1.1

In this step, we will focus our idle scan on a specific port. This is useful when you want to quickly check the status of a particular service without scanning all ports. We will scan port 80 (HTTP) on the target host.

The -p option in nmap allows you to specify the port(s) you want to scan. You can specify a single port, a range of ports (e.g., 1-100), or a comma-separated list of ports (e.g., 22,80,443). In this case, we'll scan only port 80.

Let's execute the command to scan port 80 using the idle scan technique. Open your Xfce terminal and type the following:

sudo nmap -sI 192.168.1.2 -p 80 192.168.1.1

Here's a breakdown of the command:

  • nmap: The network mapper tool.
  • -sI 192.168.1.2: This option specifies the idle scan and sets 192.168.1.2 as the zombie host.
  • -p 80: This option specifies that we want to scan only port 80.
  • 192.168.1.1: This is the target host that we want to scan.

You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

The output will show whether port 80 is open or closed on the target host (192.168.1.1). The results might look something like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Idle scan using zombie 192.168.1.2 (192.168.1.2:80); Class: Incremental
Nmap scan report for 192.168.1.1
Host is up (0.00031s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 14.87 seconds

This output indicates that port 80 (HTTP) is open on the target host 192.168.1.1. If the port were closed, the output would show closed instead of open.

Save idle results with nmap -sI 192.168.1.2 -oN idle.txt 192.168.1.1

In this step, we will save the results of our idle scan to a file. This is useful for later analysis or for reporting purposes. We will use the -oN option to save the results in a "normal" format to a file named idle.txt.

The -oN option tells nmap to save the output in a human-readable format, which is easy to read and understand. Other output formats are available (e.g., -oX for XML, -oG for Grepable output), but for this lab, we'll use the normal format.

Let's execute the command to save the idle scan results to a file. Open your Xfce terminal and type the following:

sudo nmap -sI 192.168.1.2 -oN idle.txt 192.168.1.1

Here's a breakdown of the command:

  • nmap: The network mapper tool.
  • -sI 192.168.1.2: This option specifies the idle scan and sets 192.168.1.2 as the zombie host.
  • -oN idle.txt: This option tells nmap to save the output in normal format to a file named idle.txt.
  • 192.168.1.1: This is the target host that we want to scan.

You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

After the scan completes, the results will be saved to a file named idle.txt in your current directory (~/project). You won't see any output in the terminal, as the output is being redirected to the file.

To verify that the file was created and contains the scan results, you can use the cat command to display the contents of the file:

cat idle.txt

The output will show the scan results, similar to what you saw in the previous steps, but now it's saved in a file. The output might look something like this:

## Nmap 7.80 scan initiated Fri Oct 27 10:20:00 2023 as: nmap -sI 192.168.1.2 -oN idle.txt 192.168.1.1
Idle scan using zombie 192.168.1.2 (192.168.1.2:80); Class: Incremental
Nmap scan report for 192.168.1.1
Host is up (0.00031s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
## Nmap done at Fri Oct 27 10:20:15 2023 -- 1 IP address (1 host up) scanned in 15.00 seconds

Now you have the idle scan results saved in a file for further analysis.

Analyze idle scan in Xfce terminal

In this step, we will analyze the results of the idle scan that we saved to the idle.txt file in the previous step. We'll use the grep command to extract specific information from the file, and discuss how to interpret the results.

First, let's display the contents of the idle.txt file using the cat command to refresh our memory of the scan results. Open your Xfce terminal and type the following:

cat idle.txt

You should see the output of the nmap scan, including information about the target host and the status of the scanned ports.

Now, let's use grep to find specific information. For example, to find out which ports are open, we can use grep to search for lines containing the word "open":

grep "open" idle.txt

This command will display all lines in the idle.txt file that contain the word "open". The output might look something like this:

80/tcp open  http

This tells us that port 80 (HTTP) is open on the target host.

You can also use grep to find the target host's IP address:

grep "Nmap scan report for" idle.txt

This command will display the line containing the target host's IP address:

Nmap scan report for 192.168.1.1

Interpreting the Results:

The idle scan results provide information about the target host's open ports. This information can be used to identify potential vulnerabilities or services running on the host.

  • Open Ports: An open port indicates that a service is listening on that port and is accepting connections. This could be a web server (port 80), SSH server (port 22), or other service.
  • Closed Ports: A closed port indicates that no service is listening on that port.
  • Filtered Ports: A filtered port means that nmap cannot determine whether the port is open or closed because a firewall is blocking the connection.

By analyzing the open ports, you can gain insights into the services running on the target host and potentially identify vulnerabilities that could be exploited. Remember that idle scanning is a stealthy technique, but it's not foolproof. Network administrators may still be able to detect the scan if they are monitoring network traffic.

This concludes the lab on idle scanning with nmap. You have learned how to identify a zombie host, perform an idle scan, add verbosity, scan specific ports, save the results to a file, and analyze the results in the Xfce terminal.

Summary

In this lab, we began by identifying live hosts on the 192.168.1.0/24 network using nmap -sn 192.168.1.0/24. This ping scan allowed us to quickly discover active hosts, such as 192.168.1.1, 192.168.1.2, and 192.168.1.100, which are essential for subsequent scanning activities. We then prepared to perform an idle scan using 192.168.1.2 as the zombie host and 192.168.1.1 as the target.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux