what will be the response?

If an attacker’s computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response?

If an attacker’s computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response?

A.
The zombie computer will respond with an IPID of 24334.

B.
The zombie computer will respond with an IPID of 24333.

C.
The zombie computer will not send a response.

D.
The zombie computer will respond with an IPID of 24335.



Leave a Reply 13

Your email address will not be published. Required fields are marked *


AnonymousToo

AnonymousToo

A.

Closed port increments by 1.

The Answer

The Answer

The answer would be A if the question asked if the “victim” port was closed. The question states that the zombie port is closed, so you will not get a response (C).

It is a misleading question because you assume that the closed port is on the victim. After all, why would you do an idle scan knowing that the zombie you are using isn’t going to provide you the info you need… Trick.

I hate trick questions like this. You know the answer and the idea behind idle scanning, but they trick you with misleading illogic.

Buz

Buz

Yes “The Answer” i understand your point but in any case the attacker does not send IPID but receives an IPID in return from the zombie!

The Answer

The Answer

Exactly. This is a trick question. You knew the theory and what should be the correct answer if they wern’t playing games. But the way they decided to word the question was purposefully intended to trip people up.

aa

aa

An increase of one indicates that the zombie hasn’t sent out any packets, except for its reply to the attacker’s probe. This lack of sent packets means that the port is not open (the target must have sent the zombie either a RST packet, which was ignored, or nothing at all). An increase of two indicates that the zombie sent out a packet between the two probes. This extra packet usually means that the port is open (the target presumably sent the zombie a SYN/ACK packet in response to the forged SYN, which induced a RST packet from the zombie). Increases larger than two usually signify a bad zombie host. It might not have predictable IP ID numbers, or might be engaged in communication unrelated to the idle scan

francesco

francesco

the answer is A. I the port of the zombie is closed the zombie will reply with a RST/ACK therefore incrementing the sequence number by 1 and using it in the ack field.

tcpdump -i wlan0 host 192.168.1.1 and port 234 -s 0 -S

22:19:26.310654 IP 192.168.1.103.46238 > ..234: Flags [S], seq 879392997, win 1024, options [mss 1460], length 0
22:19:26.312349 IP ..234 > 192.168.1.103.46238: Flags [R.], seq 0, ack 879392998, win 0, length 0

The zombie in this case is 192.168.1.103 and I did a Syn Scan against it. So the sequence number of the zombie in this case is 0. I think the question was referring to the ack number of the zombie, not the sequence number.

Eddie Guerrero

Eddie Guerrero

Yes, trick question indeed, nice one! They’re talking the interaction between you and the zombie that has a closed port you tried to idle scan through, not the real intended target you would use the zombie on, through an open zombie port. IPID-wise, your interaction with the zombie would be the same as the zombie against a target with a closed port (no response ignoring unsolicited RST and the zombie’s IPID stays the same on itself- but to you incremented only 1 since you went through zombie to get to the blocked target). So here, you were not even successful in GOING THROUGH the zombie, there is no increment in IPID and you got no response! So “C” has to be correct.

wat

wat

If an attacker’s computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, then the zombie should sent a RST packet back to the attacker.

However, the IPID of RST packet can’t be predicted since we haven’t observed it earlier.

Option C would be correct if zombie was filtering its ports.

Ze

Ze

The answer is that there will be no response.

Some facts to take into consideration:

1- there is no spoofed IP address
2- the client IP address port is closed

so it will be either a no response OR a +1 increment, and since we are talking about a closed port then we are not expecting any response from the client.