• [^] # Re: nmap -sI

    Posté par (site web personnel) . En réponse à la dépêche Scan par témoin. Évalué à 0.

    Sur Debian (Woody)



    man nmap :



    -sI <zombie host[:probeport]>

    Idlescan: This advanced scan method allows for a

    truly blind TCP port scan of the target (meaning no

    packets are sent to the target from your real IP

    address). Instead, a unique side-channel attack

    exploits predictable "IP fragmentation ID" sequence

    generation on the zombie host to glean information

    about the open ports on the target. IDS systems

    will display the scan as coming from the zombie

    machine you specify (which must be up and meet cer­

    tain criteria). I am planning to put a more

    detailed explanation up at http://www.inse(...(...))

    ­cure.org/nmap/nmap_documentation.html in the near

    future.



    Besides being extraordinarily stealthy (due to its

    blind nature), this scan type permits mapping out

    IP-based trust relationships between machines. The

    port listing shows open ports from the perspective

    of the zombie host. So you can try scanning a tar­

    get using various zombies that you think might be

    trusted (via router/packet filter rules). Obvi­

    ously this is crucial information when prioritizing

    attack targets. Otherwise, you penetration testers

    might have to expend considerable resources "own­

    ing" an intermediate system, only to find out that

    its IP isn't even trusted by the target host/net­

    work you are ultimately after.



    a particular port on the zombie host for IPID

    changes. Otherwise Nmap will use the port it uses

    by default for "tcp pings".