Sunny Jovita – 2301939046
Week 9
Disclaimer: This blog is for educational purposes only.
During penetration testing, collecting information is the most important stage. Based on the collected information, we can effectively improve the success percentage of our penetration testing. Equally important, there are also various scanning that are used by attackers while scanning target.
Zombie scan or idle scan is one of it. Idle scan is a form of port scanning in which the attacker uses another PC called a zombie to hide themselves from the attacker, so the attacker can be hard to traced back.
PC or devices that are used commonly has been compromised or controlled by an attacker. It is used to carry out a variety of malicious attacks on the target under the remote control of the attacker.
For further explanation, I will show you how the zombie/idle scan works.
As shown in the picture above, it is a zombie scan where the victim’s port is open since the IPID is incremented by 2. Additionally, the status of port being scanned is open.
Step 1
The attacker sends a SYN|ACK segment to the zombie device or computer.
Step 2
The zombie responses to the attacker with RST segment and it IPID is 1765 (the IPID value of the zombie computer is 1765).
Step 3
The attacker sends a SYN segment through zombie to the target with the spoofed IP address of the zombie (the target will only know that the packer is from zombie, by changing the source to the zombie, not from the attacker).
Step 4
The target will response to the zombie with a SYN|ACK segment (which means that the port on the target computer is open). As shown in the step 4, the target is not sent the response directly to the attacker, instead to the zombie computer, because the attacker has controlled the zombie computer (the attacker hides behind the zombie, so the target won’t know the real IP address) and the attacker also has spoofed the IP address of the zombie computer.
Step 5
The zombie will get a SYN|ACK packet from the target and the zombie responds with RST segment to the target. The Zombie computer will increase its IPID by one (from 1765 become 1766).
Step 6
Now, in here the attacker sends a SYN|ACK segment to the zombie.
Step 7
Last, the zombie will respond to the SYN|ACK packet from the attacker and it will increase the IPID by one, which means the IPID will be 1767.
Conclusion
To conclude, the target’s port is open since the IPID is incremented by 2, from 1765 become 1767.
