A value that exists in all IP packets is an ID number. Depending on the system, this ID number might be generated randomly, might always be zeroed out, or might increment by one with each IP packet that is sent. If a host with incremental IPID sequencing is discovered and that host is not interacting with other networked systems, it can be used as a means to identify open ports on other systems. We can identify the IPID sequencing patterns of a remote system by sending a series of IP packets and analyzing the responses:

If we send two IP packets to an idle Windows system, we can examine the integer value of the ID attribute under the IP layer of the response.

This host does, indeed, have incremental IPID sequencing, and assuming it remains idle, it can be used as an effective zombie for zombie scanning:

1. To perform a zombie scan, an initial SYN+ACK request must be sent to the zombie system to determine the current IPID value in the returned RST packet.
2. Then, a spoofed SYN packet is sent to the scan target with the source IP address of the zombie system. If the port is open, the scan target will send a SYN+ACK response back to the zombie. Since the zombie did not actually send the initial SYN request, it will interpret the SYN+ACK request as unsolicited and send an RST packet back to the target, thereby incrementing its IPID by one.
3. Finally, another SYN+ACK packet should be sent to the zombie, which will return an RST packet and increment the IPID one more time. An IPID that has incremented by two from the initial response indicates that all of these events have transpired and that the destination port on the scanned system is open.
4. Alternatively, if the port on the scan target is closed, a different series of events will transpire, which will only cause the final RST response to be incremented by one. If the destination port on the scan target is closed, an RST packet will be sent to the zombie system in response to the initially spoofed SYN packet.
5. Since an RST packet solicits no response, the IPID value of the zombie system is not incremented. As a result, the final RST packet returned to the scanning system in response to the SYN+ACK packet will have incremented by only one.
6. To streamline this process, the following script can be written in Python, which will both identify a usable zombie system and also perform the zombie scan against the scan target:

       #!/usr/bin/python

       import logging
       logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
       from scapy.all import *

       def ipid(zombie):
           reply1 = sr1(IP(dst=zombie)
           /TCP(flags="SA"),timeout=2,verbose=0)
           send(IP(dst=zombie)/TCP(flags="SA"),verbose=0)
           reply2 = sr1(IP(dst=zombie)
           /TCP(flags="SA"),timeout=2,verbose=0)
           if reply2[IP].id == (reply1[IP].id + 2):
               print "IPID sequence is incremental and target appears 
                 to be idle. ZOMBIE LOCATED"
               response = raw_input("Do you want to use this zombie to 
                 perform a scan? (Y or N): ")
               if response == "Y":
                   target = raw_input("Enter the IP address of the
                     target system: ")
                   zombiescan(target,zombie)
           else:
               print "Either the IPID sequence is not incremental or 
                 the target is not idle. NOT A GOOD ZOMBIE"

       def zombiescan(target,zombie):
           print "nScanning target " + target + " with zombie "
            + zombie
           print "n---------Open Ports on Target--------n"
           for port in range(1,100):
                try:
                   start_val = sr1(IP(dst=zombie)
                   /TCP(flags="SA",dport=port),timeout=2,verbose=0)
                   send(IP(src=zombie,dst=target)
                   /TCP(flags="S",dport=port),verbose=0)
                   end_val = sr1(IP(dst=zombie)
                   /TCP(flags="SA"),timeout=2,verbose=0)
       if end_val[IP].id == (start_val[IP].id + 2):
          print port
       except:
           pass

       print "-----------Zombie Scan Suite------------n"
       print "1 - Identify Zombie Hostn"
       print "2 - Perform Zombie Scann"
       ans = raw_input("Select an Option (1 or 2): ")
       if ans == "1":
           zombie = raw_input("Enter IP address to test
            IPID sequence: ")
           ipid(zombie)
       else:
           if ans == "2":
           zombie = raw_input("Enter IP address for zombie system: ")
           target = raw_input("Enter IP address for scan target: ")
           zombiescan(target,zombie)

7. Upon executing this script, the user is prompted with two options. By selecting option 1, we can scan or evaluate a target's IPID sequence to determine whether the host is a usable zombie. Assuming that the host is idle and has incremental IPID sequencing, the host will be flagged as a zombie, and the user will be asked to use the zombie to perform a scan.
8. If the scan is performed, the previously discussed process will be executed for each of the first 100 TCP port addresses, as follows: