Idle Scanning Technique

October 19, 2007

This is one of many port-scanning technique widely used in TCP/IP networking. People used this technique for its invisibility mode, or what we used to say, ’stealth scanning mode’. But different from the original stealth scanning mode, this idle scanning mode is more invulnerable.Idle scanning method use some characteristics of SYN, ACK, RST packet transmission mechanism. As we know, if we send a SYN packet to a targeted machine for particular port which we don’t know whether it state ‘open port’ or ‘closed’, the machine will answer for this packet. If it open, it will send back another SYN packet. Otherwise, it will send a reset (RST) packet.The other character that makes this scanning technique different from the original stealth scan is that we can ‘blame’ the innocent machine so it look like that this machine did the scanning. We call it the ‘zombie’ machine.The key of this scanning method is we know the IP identification (IPID) number of the zombie machine. Then we send a SYN packet to the targeted machine on behalf of the zombie IP address. The targeted machine will response for this packet based on the character we know well, using the SYN packet if the port open and RST packet otherwise. As we send the packet on behalf of the zombie machine, the targeted will send back the respon packet to the zombie. Thus, the IPID of the zombie will increase if it receives another SYN packet, and it still remain the same if the port is closed. Another IPID scan to this zombie machine and voila… we will know the port state of the targeted machine without have to be blamed for sniffing the port.