||12-10-2004 05:08 AM
Nmap with Idle scan
I am starting to learn the principles of the idle-scan technique.
I had a strange problem at first. I have an box running Windows 98 that is up and runs an old version of a webserver. I sat this up to use it as a zombie.
Now, from my Linux box I checked with hping and it shows that the id increases just as it's supposed to do.
But when I tried to scan another computer that I have on a different host using my own zombie I got the error that said:
Idlescan zombie xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 80 cannot be used
because IPID sequencability class is: Busy server or unknown class. Try another proxy.
Now at school I connected to my box at home via ssh and tried to scan my own host and with another zombie. Success.
Then I tried to use the same zombie on another host but that gave me the error:
Idlescan using zombie xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx:80); Class: Incremental
Even though your Zombie (220.127.116.11; 18.104.22.168) appears to be vulnerable to IPID sequence predict
ion (class: Incremental), our attempts have failed. This generally means that either the Zombie uses
a separate IPID base for each host (like Solaris), or because you cannot spoof IP packets (perhaps you
r ISP has enabled egress filtering to prevent IP spoofing), or maybe the target network recognizes the
packet source as bogus and drops them
The zombie is the same and it's under the same ISP as I have. At the attempt that ended in success I scanned my computer from my computer but using a zombie under the same ISP within the city network.
Then I changed the target from being (me) under the same ISP to another ISP and that ended in the error shown above. Just for checking I did the scan again that scanned my box and it still ended in success.
What is the problem here?