background image

22

Chapter 3

This tells us that we’ve successfully imported the output of our 

nmap

 

scans into Metasploit, as evidenced by the IP addresses populated when we 
run the 

db_hosts

 commands.

Advanced Nmap Scanning: TCP Idle Scan

A more advanced 

nmap

 scan method, 

TCP idle scan

, allows us to scan a target 

stealthily by spoofing the IP address of another host on the network. For this 
type of scan to work, we first need to locate an idle host on the network that 
uses incremental IP IDs (which are used to track packet order). When we 
discover an idle system that uses incremental IP IDs, the IP IDs become pre-
dictable, and we can then predict the next ID. However, when spoofing the 
address of an idle host while scanning a target’s responses from open ports, 
we can see a break in the predictability of the IP ID sequence, which indi-
cates that we have discovered an open port. (To learn more about this mod-
ule and IP ID sequences, visit 

http://www.metasploit.com/modules/auxiliary/

scanner/ip/ipidseq/

.)

Use the Framework’s 

scanner/ip/ipidseq

 module to scan for a host that fits 

the TCP idle scan requirements, as shown next:

msf > 

use auxiliary/scanner/ip/ipidseq

msf auxiliary(ipidseq) > 

show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   GWHOST                      no        The gateway IP address
   INTERFACE                   no        The name of the interface
   LHOST                       no        The local IP address

 

RHOSTS                      yes       The target address range or CIDR identifier

   RPORT      80               yes       The target port
   SNAPLEN    65535            yes       The number of bytes to capture

 

THREADS    1                yes       The number of concurrent threads

   TIMEOUT    500              yes       The reply read timeout in milliseconds

This listing displays the required options for the 

ipidseq

 scan. One notable 

one, 

RHOSTS

 at  , can take IP ranges (such as 192.168.1.20–192.168.1.30); 

Classless Inter-Domain Routing (CIDR) ranges (such as 192.168.1.0/24); 
multiple ranges separated by commas (such as 192.168.1.0/24, 192.168.3.0/24); 
and a text file with one host per line (such as 

file:/tmp/hostlist.txt

). All these 

options give us quite a bit of flexibility in specifying our targets.

The 

THREADS

 value at   sets the number of concurrent threads to use 

while scanning. By default, all scanner modules have their 

THREADS

 value initially 

set to 1. We can raise this value to speed up our scans or lower it to reduce 
network traffic. In general, you should not set the 

THREADS

 value greater 16 

when running Metasploit on Windows, and not greater than 128 on UNIX-
like operating systems.