background image

Intelligence Gathering

23

Now let’s set our values and run the module. We’ll set the value for 

RHO-

STS

 to 192.168.1.0/24, set 

THREADS

 to 50, and then run the scan.

msf auxiliary(ipidseq) > 

set RHOSTS 192.168.1.0/24

RHOSTS => 192.168.1.0/24
msf auxiliary(ipidseq) > 

set THREADS 50

THREADS => 50
msf auxiliary(ipidseq) > 

run

[*] 192.168.1.1's IPID sequence class: All zeros
[*] 192.168.1.10's IPID sequence class: Incremental!
[*] Scanned 030 of 256 hosts (011% complete)
[*] 192.168.1.116's IPID sequence class: All zeros

 [*] 192.168.1.109's IPID sequence class: Incremental!

[*] Scanned 128 of 256 hosts (050% complete)
[*] 192.168.1.154's IPID sequence class: Incremental!
[*] 192.168.1.155's IPID sequence class: Incremental!
[*] Scanned 155 of 256 hosts (060% complete)
[*] 192.168.1.180's IPID sequence class: All zeros
[*] 192.168.1.181's IPID sequence class: Incremental!
[*] 192.168.1.185's IPID sequence class: All zeros
[*] 192.168.1.184's IPID sequence class: Randomized
[*] Scanned 232 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ipidseq) >

Judging by the results of our scan, we see a number of potential idle hosts 

that we can use to perform idle scanning. We’ll try scanning a host using the 
system at 192.168.1.109 shown at   by using the 

-sI

 command line flag to 

specify the idle host:

msf auxiliary(ipidseq) > 

nmap -PN -sI 192.168.1.109 192.168.1.155

[*] exec: nmap -PN -sI 192.168.1.109 192.168.1.155

Idle scan using zombie 192.168.1.109 (192.168.1.109:80); Class: Incremental
Interesting ports on 192.168.1.155:
Not shown: 996 closed|filtered ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:E4:59:7C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.12 seconds
msf auxiliary(ipidseq) >

By using the idle host, we were able to discover a number of open ports 

on our target system without sending a single packet to the system.