Detecting and enhancing Zombie scan
Introduction
This is a small post about how to detect zombie scan attack, aka idle-scan. You can quickly hop-in and download the PCAP of the example explained HERE, its recommended to follow along and enjoy it don’t be lazy ;)
Try to check it for a few moments see what you can deduce.
Notes of what is happening
1- a6 claiming 103
2- 71 claiming 102
3- b4 claiming 101
4- 103 SYN ACK Scan 101?
5- 101 Spoofed by 103?
6- Another SYN ACK Scan?
Theories
Firewall bypassing attempt 103 claimed to be 102, because there is an ACL that deny 103 but allow 102?
Zombie Scan
- Zombie => 101
- Target => 102
- Attacker => 103
To filter the important indicator in wireshark, add ip.id as a filter in a column.
Step 1
To be able to enumerate open ports using Zombie Scan technique, you need to have a network interaction with a machine that has very low network traffic with other equipment, thus the ID field in the IP header will be predictable enough.
Each time a host send a RST to another host, the sender increase his ID field.
The attacker will spam the Zombie host with multiple SYN ACK packets and checks that its behaving with good prediction, in this case, its incremented from 120 to 130.
And more importantly, the attacker records the last ID value.
Step 2
The attacker spoof the zombie host and send it to the target, aiming that the port that he want to enumerate (80 in this case) with a SYN packet.
The target then respond back to the zombie:
-
if the port was open, its a
SYN ACK, and the zombie is not expecting this communication, so he sends aRSTback to the Target and increase his IP ID field by one (130+1). -
if the port was closed, its a
RST, the zombie’s IP ID field stays the same (130), recall : the host that sends theRSTgets his ID field increased, receiving it will not change anything.
The attacker is not able to capture the response from the Target to the Zombie, and cannot deduce if the port was open yet.
Step 3
Finally, the attacker will interrogate the zombie by sending another SYN ACK, the zombie will respond with RST, increases by 1 his IP ID field again.
-
If the Zombie IP ID field is (130+1+1), the Attacker deduce that the port 80 is open on the Target to the Zombie (NO ACL Restriction).
-
If the Zombie IP ID field is (130+1), the Attacker deduce that the port 80 is closed on the Target to the Zombie.
In our case its ID=131, the port was closed.
Enhancement attempt
The choice of the zombie for the attacker are old machines may be a printer during lunch time, or any unpatched host, since the latest OS are making the IPID unpredictable. The attacker probably ran the following nmap command:
nmap -Pn -p 80 -sI 192.168.100.101 192.168.100.102
If we continue about our scenario about the printer, we can may be increase the stealthiness of the scan by asking nmap to use randomly manually selected high dst port (63021) and 9100 as a source port when asking the zombie to throw off analysts thinking that “its just a printer trying communicate with another printer”.
nmap -Pn -p 80 -g 9099 -sI 192.168.100.101:63021 192.168.100.102
ManPage TLDR : Scan 102 on port 80, using a zombie where you communicate with him like this 9099 –> 63021
This technique is an amazing way to enumerate network trust between old running machines and a target, often ACLs are applied to them are long forgotten and may allowed more than needed.
This is the result of a good teacher who taught us a lot, and this exercise was one of his.
tags: