Retourner au contenu associé (dépêche : Scan par témoin)
Posté par Aurélien Jarno (site web personnel) le 21 janvier 2002 à 11:55. En réponse à la dépêche Scan par témoin. Évalué à 0.
AltStyle によって変換されたページ (->オリジナル) / アドレス: モード: デフォルト 音声ブラウザ ルビ付き 配色反転 文字拡大 モバイル
[^] # Re: nmap -sI
Posté par Aurélien Jarno (site web personnel) . En réponse à la dépêche Scan par témoin. Évalué à 0.
man nmap :
-sI <zombie host[:probeport]>
Idlescan: This advanced scan method allows for a
truly blind TCP port scan of the target (meaning no
packets are sent to the target from your real IP
address). Instead, a unique side-channel attack
exploits predictable "IP fragmentation ID" sequence
generation on the zombie host to glean information
about the open ports on the target. IDS systems
will display the scan as coming from the zombie
machine you specify (which must be up and meet cer
tain criteria). I am planning to put a more
detailed explanation up at http://www.inse(...(...))
cure.org/nmap/nmap_documentation.html in the near
future.
Besides being extraordinarily stealthy (due to its
blind nature), this scan type permits mapping out
IP-based trust relationships between machines. The
port listing shows open ports from the perspective
of the zombie host. So you can try scanning a tar
get using various zombies that you think might be
trusted (via router/packet filter rules). Obvi
ously this is crucial information when prioritizing
attack targets. Otherwise, you penetration testers
might have to expend considerable resources "own
ing" an intermediate system, only to find out that
its IP isn't even trusted by the target host/net
work you are ultimately after.
a particular port on the zombie host for IPID
changes. Otherwise Nmap will use the port it uses
by default for "tcp pings".