There is no doubt that information gathering is one of the topics that hackers are most required to master, this is constituted of active and passive scanning. It is believed that active scanning is an essential factor for a successful penetration testing project. While this is extremely powerful, it is also complex. Hackers choose between different scanning techniques depending on the situation they are facing when mapping the network. Moreover, hackers are mostly concerned about their identity exposition during this process. However, there are several techniques that have been developed to avoid this, one of the most significant methods is idle scanning, and it is considered as one of the stealthiest scan types, idle scanning can also expose targets through a trusted host. So what is idle scanning? How does it hide the attacker’s IP? And how is it performed?
Idle scan is the process of detecting a target’s ports and running services through an idle host using spoofed IP address technique along with the observation of the ID IP (identification IP) changes. This procedure is carried out successfully with the help of Source Address spoofing and Identification detecting in the IP header. To understand this concept, the IP header will be examined, along with the Identification and the Source Address fields and how they can be exploited in order to perform the idle scan.
This will be shown by analysing a simple SYN scan type first, followed by an idle scan, a SYN scan is known as a half open connection, the attacker will firstly send a SYN packet using a scanning tool (example: NMAP, hping2..etc) to the target as shown below.
Next, a SYN/ACK packet is sent back to the attacker.
Lastly, the attacker will end the connection with a RST packet (RST flag= 1).
This scan type will obviously expose the attacker’s IP address to the target. Now let us see how the idle scan differs from the SYN scan. The first step of performing an idle scan is to find an idle host, speaking of which, what is an idle host? A host that is online and is not currently receiving or transmitting packets, for example, if you left your laptop on while taking a shower, at that time, your computer is at the risk of being an idle host, thus, taking the blame for a filthy scan attack! What are the reasons behind this?
Step one-Finding an Idle host:
It is possible to determine whether or not the host is idle by analysing its Identification field in the IP header.
Hang on, what is the purpose of the identification field? It mostly contributes to the fragments implementation; this is accomplished by incrementing the ID IP’s (Identification) internal counter by 1 every time a datagram is sent over a network in order to avoid the confusions of datagram fragments. The operation system however is in charge of this. So, a host that increment by 1 is idle, this can be examined and caused by the Attacker as shown below:
Target’s ID IP (Identification IP) value = 1234, this is before the Attacker sends interacts with the Target (no packets are sent).
Target’s ID IP (Identification IP) value = 1235? Nope, it’s still 1234, the Target did not send packets yet!
Target’s ID IP (Identification IP) value = 1235! The Target sent a packet, so its ID IP has incremented by 1.
This process is repeated couple of times to ensure that the Target’s ID IP is incremented by 1 (1235) every time a packet is sent, the value 1235 then is then placed in the identification field of the IP Header, Thus, an increase in the ID IP by 1 means that the host sent a packet (in this situation the Target is sending a packet back to the Attacker). When repeating this process for a second time the ID IP of the target will turn to 1236, and so on. In contrast, no change in ID IP simply means no packets were sent, also, an increment of different values (example: +2 +6 +3..etc) just means that the host is not idle; it is receiving more than one packet at a time, therefore not suitable to be used as an idle host.
Testing identification tracing of an idle host in a lab:
Now a real example is performed using Hping2 tool, for this lab, the Attacker machine is Backtrack 5, idle host machine however is Windows7, and finally Ubuntu is used as the main target. The aim here is to trace the ID IP of the RST packet that is coming from the idle host to Attacker.
Hosts IPs on this example:
Idle host (Windows7) = 192.168.1.10
Target (Ubuntu) = 192.168.1.14
One way to do this is to use the command:
hping2 –S [IP] (in this situation the [IP] is the windows7 host)
• -S; sets the SYN flag up.
It can be clearly seen how the ID IP is incrementing by 1, from 19695 to 19706 (11 packets), thus, this host can be used as a Zombie (the term Zombie is often referred to the idle host). After “Identification IP” is analysed in theory and practice, it’s time to move on to the next step.
Step two-Attacking the target through the idle host:
Now it is possible to scan the target through the idle host founded, for the purpose of hiding our own IP address. Although there is another powerful advantage of this development discussed later on. As mentioned before, “Source Address” is another factor that contributes to a successful idle scan beside Identification IP, the goal here is to scan the target using the idle host’s IP address (IP Spoofing).
Firstly, observations of the idle host’s ID IP need to be noted, so, by first typing the corresponding command as mentioned before:
hping2 –S [Idle host IP]
While this command is running on the idle host, a spoofed SYN packet needs to be sent to the target using a specific port that we are interested in (the idle host's IP is spoofed). to test this, run the command:
hping2 –a [idle host IP] –S –p 23 [Target’s IP] –c 1
• -a; spoof source address.
• -p; destination port.
• -c; packet count (to control how many packets are sent).
In other words, what we are really trying to do is recording the idle host’s ID IP, while sending a group of spoofed SYN packets to the target at the same time, remember the main goal is to determine the status of a port on the target without exposing the attacker’s IP address, Graph.3 shows this process:
Next, if the port we are examining (23 in this case) exists on the Target, the Target will respond to the idle Host with a SYN/ACK packet as shown in Graph.4
Note that until this stage, the idle host’s ID IP is increasing by one every time a RST packet is sent to the Attacker. From Graph.4 the idle host received an unexpected SYN/ACK packet from Target, Graph.5 shows how the idle host deals with this situation.
As it can be seen in Graph.5, a RST is sent to the Target as well to the Attacker, this will cause the ID IP of the idle host to increase by 2 (4114), and thus, an increase by two indicates that the port we are testing is open, what would happen if the port is closed? You guessed it right! the idle host in most cases will receive a RST packet, as a result the ID IP of the idle host will continue to increase by 1 only, in addition, if the port is filtered, the target will not send any packets back to the idle host, hence, ID IP will have +1 increase.
The analysis shown in Graph3, Graph4, and Graph.5 will be summarized and shown in action. After the idle host is founded by the steps mentioned earlier, the ID IP of the idle host is noted, and at the same time a spoofed packet is sent to the target, the following results are the outcomes of two commands:
hping2 –S [Idle host IP]
hping2 –a [idle host IP] –S –p 23 [Target’s IP] –c 1
Note: (192.168.1.10 is the idle host’s IP, 192.168.1.14 is the Target’s IP.)
By looking at the id field in the graph, it can be concluded that the port 23 is open in the Target host, the id field (ID IP of idle host) is increasing by 1 from 29957 to 29961, then it is incremented by two in the next packet's ID IP (29963), note that 29962 is missing because two RST packets are sent from the idle host to both Attacker and Target.
In conclusion, this scan type can have a huge effect when it comes to stealth scanning. Additionally, this is not the only advantage of this scan type, as it can be also used to identify a host, through a trusted host (example: printer to a server or a workstation). However, this tactic is blocked sometimes by firewalls, and a few of new Linux operation systems, yet evading those is still possible, the next tutorial will discuss how firewalls, and trusted hosts are included in idle scanning.