How To Find Zombie Hosts With Nmap?

For educational purposes only

If you are familiar with Nmap, you probably already know that scanning networks can easily be detected by firewals and IDS (Intrusion Detection Systems). Which can blow your cover and get your IP or proxy blacklisted.

There are multiple ways to avoid that to happen. Here we’ll explore a method called idle scan, also known as a ‘zombie scan’. Which is an advanced port scanning method used to avoid detection by having a ‘zombie’ between you and the machine you’re scanning.

This is a blind scanning method used to scan for open ports on the target machine without ever sending a single packet from the attackers IP address.

The scanning works in five stages.

How it works ?

1. The attacker sends an unrequested SYN/ACK to the zombie machine. Which the zombie didn't expect, so it responds by sending a RST to the attacker and by doing so reveals its IP ID.

2. The attacker sends a forged SYN to the target making it look like it comes from the zombie.

3. The target then sends a unrequested SYN/ACK to the zombie.

4. The zombie then responds with a RST which increments its IP ID. Indicating that the port is open, if the port is closed, the target sends a RST to the zombie and the IP ID will not be incremented.

5. The attacker repeats step 1 and verifies if the IP ID has been incremented, if so, the port scanned is open, if not the port is closed.

How do you find a zombie ?

Nmap NSE (Nmap Scripting Engine) comes with a handy script called IPIDSEQ. Which we can use to scan for random zombies on the internet. Using the following script, Nmap will scan port 80 of 100 random hosts across the internet.

nmap -p 80 -script ipidseq -iR 100

The hardest part in a zombie scan is to find a suitable machine to act as a zombie as sometimes you can end up with false positives. The candidate host shouldn’t be getting too much traffic because its IP ID won’t be accurate and predictable. Printers, Windows and old Linux servers work fine.

How to launch a idle scan with Nmap ?

Here is a bare bones zombie scan using Nmap:

nmap -sI <zombie host> -p <ports to scan> <target>


Conclusion

We’ve covered the infamous idle scan, incredibly useful for host discovery. It is one of the best ways to scan hosts without getting detected. But keep in mind that some modern IDS’s can detect when a idle scan is happening on their network.

Be careful guys!

This is for educational purposes only. Scanning network without explicit permission can land you in jail. I am not responsible for any damages incurred!