< The case of the opened port >
❑ Idle scan : The port scan that a zombie system scans a target system's ports.
* The idle scan is not possible on UDP because there is no respond when a port is opened and the ICMP destination unreachable message is returned when a port is closed.
❑ The principle idle scan
1. An attacker transmits SYN/ACK to a zombie system.
2. An attacker transmits SYN to a zombie system after spoof IP address as zombie system's IP address.
3. An attacker transmits SYN/ACK to a zombie system.
→ Opened port : The IP protocol's ID field value in (3) is 2 larger than the value in (1).
→ Closed(or filtered) port : The IP protocol's ID field value in (3) is 1 larger than the value in (1).
* In idle scan, closed service port and filtered service port can't be distinguished.
❑ How to do idle scan : # nmap -Pn -p- -sI [Zombie]:[Port] [Target]
* e.g. # nmap -Pn -p- -sI 192.168.10.5 192.168.100.52
-Pn : Do not send initial ping packet.
-p- : Check all 65K ports.
-sI : Do TCP idle scan.
[Zombie] : The system used for scanning.
[Port] : Destination port of attacker's SYN/ACK segment.
[Target] : The victim system for scanning.