Zombie scanning with Nmap

These steps will help you to perform a zombie scan on the Nmap:

  1. Zombie scans can also be performed with an option in Nmap. However, prior to using the Nmap zombie scan, we can quickly find any viable zombie candidates by sweeping an entire address range and assessing the IPID sequencing patterns with Metasploit.
  1. To do this, we need to open Metasploit with the msfconsole command and then select the IPID sequencing auxiliary module for use, as follows:
  1. This auxiliary module can be used to perform a scan on a sequential series of host addresses or on a network range, as defined by the CIDR notation. For the speed of the scan to be increased, the THREADS variable should be increased to the desired number of concurrent tasks, as follows:
  1. Once the desired values for the required variables have been populated, we can verify the configurations of the scan again using the show options command. The IPID sequence scan can then be executed using the run command:
  1. As the IPID sequence scanning module sweeps through the provided network range, it will identify the IPID sequencing patterns of discovered hosts and indicate whether they are zeros, randomized, or incremental.
  1. An ideal candidate for zombie scanning is a host that has both incremental IPID sequencing and is not interacting heavily with other systems on the network. Once an incremental idle host has been identified, we can perform the zombie scan in Nmap using the -sI option and by passing it the IP address of the zombie host that needs to be used for scanning:
  1. In the example provided, a zombie scan was performed on the first 100 TCP ports of the scan target, 172.16.69.128. The idle host at 172.16.69.128 was used as the zombie, and the -Pn option was used to prevent Nmap from attempting to ping the scan target.
  2. In this demonstration, we identified and enumerated all of the listed open ports and never interacted directly with the scanned target. Instead, source-spoofed packets were sent to the scan target, and the only direct interaction was between the scanning system and the zombie host.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset