1 00:00:00,300 --> 00:00:08,100 ‫Idle scan is an advanced scan method that allows for a truly blind TCP port scan of the target truly 2 00:00:08,100 --> 00:00:14,010 ‫blind TCP port scan means no packets are sent to the target from your real IP address. 3 00:00:14,330 --> 00:00:22,770 ‫Instead, a unique side channel attack exploits predictable IP fragmentation ID sequence generation 4 00:00:23,040 --> 00:00:27,270 ‫on the zombie host to gather information about the open ports on the target. 5 00:00:28,390 --> 00:00:33,550 ‫Idea systems will display the scan as coming from the zombie machine, you specify. 6 00:00:35,310 --> 00:00:40,380 ‫The idle scan is based on the following three facts, as you already know. 7 00:00:41,530 --> 00:00:46,180 ‫One way to determine whether TCP Port is open is to send a signed packet to the port. 8 00:00:46,990 --> 00:00:49,630 ‫The target machine will respond with a snack packet. 9 00:00:49,960 --> 00:00:53,080 ‫If the port is open and rest, if the port is closed. 10 00:00:53,920 --> 00:00:58,630 ‫A machine that receives an unexpected sinek packet will respond with a receipt. 11 00:00:59,050 --> 00:01:01,690 ‫An unexpected receipt will be ignored. 12 00:01:02,870 --> 00:01:10,760 ‫Every IP packet on the internet has a fragment identification number, IP ID since many operating systems 13 00:01:10,760 --> 00:01:14,000 ‫simply increment this number for each packet they send. 14 00:01:14,390 --> 00:01:20,570 ‫Probing for the iPad can tell an attacker how many packets have been sent since the last probe. 15 00:01:22,370 --> 00:01:26,060 ‫So first, let's see what happens in an idle scan at the target board is open. 16 00:01:27,420 --> 00:01:31,680 ‫The first step is to probe the IPID of the zombie system. 17 00:01:32,950 --> 00:01:35,080 ‫The attacker sends a cynic to the zombie. 18 00:01:36,380 --> 00:01:40,760 ‫Since his army does not expect the packet, it sends back a receipt with an iPad. 19 00:01:41,900 --> 00:01:46,220 ‫The second step is to forge a send packet from the zombie to the target system. 20 00:01:47,310 --> 00:01:52,170 ‫The target sends a sinek in response to the sin that appears to come from the zombie. 21 00:01:53,160 --> 00:01:59,190 ‫Since his army does not expect the packet, it sends back a receipt and so it increments its Ipid in 22 00:01:59,190 --> 00:01:59,850 ‫the process. 23 00:02:00,750 --> 00:02:04,350 ‫Third step is to probe the zombie's iPad again. 24 00:02:05,010 --> 00:02:07,440 ‫The attacker sends a sinek the zombie again. 25 00:02:08,040 --> 00:02:14,160 ‫The rest packet of the zombie has an iPad, which is increased by two since the first step, so the 26 00:02:14,160 --> 00:02:14,910 ‫port is open. 27 00:02:15,360 --> 00:02:19,080 ‫Now let's see what happens in an idle scan of the target board is closed. 28 00:02:20,310 --> 00:02:23,370 ‫The first step is to probe the IPD of the zombie system. 29 00:02:24,090 --> 00:02:30,120 ‫The attacker sends a sinek to the zombie since the zombie does not expect the packet, it sends back 30 00:02:30,120 --> 00:02:31,800 ‫a receipt with an iPad. 31 00:02:32,910 --> 00:02:37,020 ‫The second step is to forge a sin packet from the zombie to the target system. 32 00:02:37,500 --> 00:02:43,140 ‫The target sends a receipt because the port is closed in response to the sin that appears to come from 33 00:02:43,140 --> 00:02:43,680 ‫the zombie. 34 00:02:44,340 --> 00:02:49,200 ‫The zombie ignores the unexpected risk, so it's IPID does not change. 35 00:02:49,890 --> 00:02:53,340 ‫Third step is to probe the zombies IPID again. 36 00:02:54,180 --> 00:02:56,970 ‫The attacker sends a sinek to the zombie again. 37 00:02:57,630 --> 00:03:03,570 ‫The risk packet of the zombie has an IPID, which is increased by only one since the first step. 38 00:03:03,780 --> 00:03:06,420 ‫So the board is not open. 39 00:03:06,900 --> 00:03:07,410 ‫You follow. 40 00:03:08,160 --> 00:03:09,810 ‫So then here's the last one. 41 00:03:10,650 --> 00:03:13,830 ‫Let's see what happens in an idle scan if the target board is filtered. 42 00:03:14,280 --> 00:03:17,610 ‫The first step is to probe the IPID of the zombie system. 43 00:03:18,440 --> 00:03:24,350 ‫The attacker sends a sinek to the zombie since a zombie does not expect the packet, it sends back a 44 00:03:24,350 --> 00:03:25,670 ‫wrist with an iPad. 45 00:03:26,510 --> 00:03:31,490 ‫The second step is to forge a signed packet from the zombie to the target system. 46 00:03:32,270 --> 00:03:37,340 ‫The target filtering its port ignores the sin that appears to come from the zombie. 47 00:03:37,820 --> 00:03:42,230 ‫The zombie is unaware that anything happened, so its iPad remains the same. 48 00:03:43,420 --> 00:03:49,420 ‫Third step is to probe the zombies rapid again, the attacker sends a sinek to the zombie again. 49 00:03:50,720 --> 00:03:57,110 ‫The risk packet of the zombie as an iPad, which is increased by only one since the first step, so 50 00:03:57,440 --> 00:03:58,640 ‫the port is not open. 51 00:03:58,760 --> 00:04:04,610 ‫So from the attacker's point of view, the filtered port is indistinguishable from a closed port. 52 00:04:05,020 --> 00:04:09,680 ‫You see why, in both cases, the iPad is increased by only one. 53 00:04:10,520 --> 00:04:11,960 ‫So let's have an idle scan. 54 00:04:13,690 --> 00:04:18,790 ‫To be able to perform an idol scan, we first need to have a zombie computer on the network, which 55 00:04:18,790 --> 00:04:21,340 ‫has incremental Ipid's sequencing. 56 00:04:22,030 --> 00:04:26,650 ‫Hopefully, we have an end map script to help us find a computer appropriate to become a zombie. 57 00:04:27,340 --> 00:04:32,100 ‫I know the name of the script starts with IPD and put a star. 58 00:04:32,110 --> 00:04:36,340 ‫Now here's the script Ipid's Que and AC. 59 00:04:37,500 --> 00:04:42,240 ‫To use this grip, tape and map script, iPads, CQ. 60 00:04:43,430 --> 00:04:49,700 ‫And now our IP block one seven two eight one six nine nine zero 24. 61 00:04:51,060 --> 00:04:53,940 ‫They keep it simple, let's scan just the top two port. 62 00:04:57,690 --> 00:04:59,880 ‫And here are the results, so let's analyze them. 63 00:05:03,670 --> 00:05:10,870 ‫Ninety nine point one is my whole system, it's a Mac, and as you see, iPad is randomized, nineteen 64 00:05:10,870 --> 00:05:13,570 ‫point two is the gateway of my virtual LAN. 65 00:05:13,570 --> 00:05:16,420 ‫And yes, it has incremental ID sequencing. 66 00:05:17,230 --> 00:05:19,030 ‫It can be used as a zombie system. 67 00:05:19,120 --> 00:05:19,630 ‫Good I. 68 00:05:21,430 --> 00:05:24,310 ‫Nine nine, two one three nine is a Linux system. 69 00:05:24,820 --> 00:05:31,870 ‫It's Ipid sequence is all in zero nine nine two zero six is our target Metasploit of all. 70 00:05:33,570 --> 00:05:36,990 ‫Nine, nine, two, two two is our colleague machine. 71 00:05:37,470 --> 00:05:44,040 ‫It's Ipid's sequence is incremental, so it's actually another zombie candidate, but it's already the 72 00:05:44,040 --> 00:05:47,220 ‫attack itself so that it makes sense to use it as a zombie. 73 00:05:47,590 --> 00:05:49,820 ‫But I understand you. 74 00:05:49,830 --> 00:05:51,030 ‫Yes, it might be fun. 75 00:05:52,310 --> 00:05:57,040 ‫All right, now, we're going to use nine, nine two as a zombie. 76 00:05:59,670 --> 00:06:07,170 ‫So here's the end map idol scan query as upper case I do Idol Scan now put the IP address of the zombie. 77 00:06:08,050 --> 00:06:12,490 ‫I want to use my host machine first, which has a randomized Ipid's sequence. 78 00:06:13,740 --> 00:06:21,260 ‫Not necessarily, but I think it's a good habit, P, N and N Target Systems IP. 79 00:06:23,840 --> 00:06:30,230 ‫So as you see and Map says, the Zombies Ipid's sequence class is randomized, so we should find another 80 00:06:30,230 --> 00:06:30,650 ‫system. 81 00:06:31,970 --> 00:06:37,220 ‫So what do you think about using a zombie system with an all zeros Ipid's sequence class? 82 00:06:37,370 --> 00:06:37,580 ‫Hmm. 83 00:06:38,300 --> 00:06:40,880 ‫As you see, again, it's just not suitable to be a zombie. 84 00:06:42,060 --> 00:06:47,610 ‫Now, is it time to use this system, which has an incremental Ipid's sequence class? 85 00:06:48,060 --> 00:06:52,230 ‫So again, to keep it quick and simple, I'll just scan the top three put. 86 00:06:54,320 --> 00:06:58,550 ‫And yes, scan is completed successfully to compare the results. 87 00:06:58,820 --> 00:07:06,440 ‫I'd like to have a sign scan in another terminal screen with the same conditions for its 23 and 80 are 88 00:07:06,470 --> 00:07:07,670 ‫open in both scans. 89 00:07:09,410 --> 00:07:15,560 ‫According to Since Scan, Port 443 is closed now, we know that the idle scan cannot distinguish the 90 00:07:15,560 --> 00:07:17,540 ‫closed board from the filtered port. 91 00:07:17,810 --> 00:07:25,160 ‫It flagged Port 443 as closed or filtered, so let's run the last query with reason. 92 00:07:25,430 --> 00:07:26,150 ‫Option again. 93 00:07:30,820 --> 00:07:37,900 ‫As you see, ports 23 and 80 are flagged as open because IPID has changed each time. 94 00:07:38,870 --> 00:07:43,520 ‫Since the iPad has not changed, report four, four three, its flag disclosed or filtered.