1
00:00:00,300 --> 00:00:08,100
‫Idle scan is an advanced scan method that allows for a truly blind TCP port scan of the target truly

2
00:00:08,100 --> 00:00:14,010
‫blind TCP port scan means no packets are sent to the target from your real IP address.

3
00:00:14,330 --> 00:00:22,770
‫Instead, a unique side channel attack exploits predictable IP fragmentation ID sequence generation

4
00:00:23,040 --> 00:00:27,270
‫on the zombie host to gather information about the open ports on the target.

5
00:00:28,390 --> 00:00:33,550
‫Idea systems will display the scan as coming from the zombie machine, you specify.

6
00:00:35,310 --> 00:00:40,380
‫The idle scan is based on the following three facts, as you already know.

7
00:00:41,530 --> 00:00:46,180
‫One way to determine whether TCP Port is open is to send a signed packet to the port.

8
00:00:46,990 --> 00:00:49,630
‫The target machine will respond with a snack packet.

9
00:00:49,960 --> 00:00:53,080
‫If the port is open and rest, if the port is closed.

10
00:00:53,920 --> 00:00:58,630
‫A machine that receives an unexpected sinek packet will respond with a receipt.

11
00:00:59,050 --> 00:01:01,690
‫An unexpected receipt will be ignored.

12
00:01:02,870 --> 00:01:10,760
‫Every IP packet on the internet has a fragment identification number, IP ID since many operating systems

13
00:01:10,760 --> 00:01:14,000
‫simply increment this number for each packet they send.

14
00:01:14,390 --> 00:01:20,570
‫Probing for the iPad can tell an attacker how many packets have been sent since the last probe.

15
00:01:22,370 --> 00:01:26,060
‫So first, let's see what happens in an idle scan at the target board is open.

16
00:01:27,420 --> 00:01:31,680
‫The first step is to probe the IPID of the zombie system.

17
00:01:32,950 --> 00:01:35,080
‫The attacker sends a cynic to the zombie.

18
00:01:36,380 --> 00:01:40,760
‫Since his army does not expect the packet, it sends back a receipt with an iPad.

19
00:01:41,900 --> 00:01:46,220
‫The second step is to forge a send packet from the zombie to the target system.

20
00:01:47,310 --> 00:01:52,170
‫The target sends a sinek in response to the sin that appears to come from the zombie.

21
00:01:53,160 --> 00:01:59,190
‫Since his army does not expect the packet, it sends back a receipt and so it increments its Ipid in

22
00:01:59,190 --> 00:01:59,850
‫the process.

23
00:02:00,750 --> 00:02:04,350
‫Third step is to probe the zombie's iPad again.

24
00:02:05,010 --> 00:02:07,440
‫The attacker sends a sinek the zombie again.

25
00:02:08,040 --> 00:02:14,160
‫The rest packet of the zombie has an iPad, which is increased by two since the first step, so the

26
00:02:14,160 --> 00:02:14,910
‫port is open.

27
00:02:15,360 --> 00:02:19,080
‫Now let's see what happens in an idle scan of the target board is closed.

28
00:02:20,310 --> 00:02:23,370
‫The first step is to probe the IPD of the zombie system.

29
00:02:24,090 --> 00:02:30,120
‫The attacker sends a sinek to the zombie since the zombie does not expect the packet, it sends back

30
00:02:30,120 --> 00:02:31,800
‫a receipt with an iPad.

31
00:02:32,910 --> 00:02:37,020
‫The second step is to forge a sin packet from the zombie to the target system.

32
00:02:37,500 --> 00:02:43,140
‫The target sends a receipt because the port is closed in response to the sin that appears to come from

33
00:02:43,140 --> 00:02:43,680
‫the zombie.

34
00:02:44,340 --> 00:02:49,200
‫The zombie ignores the unexpected risk, so it's IPID does not change.

35
00:02:49,890 --> 00:02:53,340
‫Third step is to probe the zombies IPID again.

36
00:02:54,180 --> 00:02:56,970
‫The attacker sends a sinek to the zombie again.

37
00:02:57,630 --> 00:03:03,570
‫The risk packet of the zombie has an IPID, which is increased by only one since the first step.

38
00:03:03,780 --> 00:03:06,420
‫So the board is not open.

39
00:03:06,900 --> 00:03:07,410
‫You follow.

40
00:03:08,160 --> 00:03:09,810
‫So then here's the last one.

41
00:03:10,650 --> 00:03:13,830
‫Let's see what happens in an idle scan if the target board is filtered.

42
00:03:14,280 --> 00:03:17,610
‫The first step is to probe the IPID of the zombie system.

43
00:03:18,440 --> 00:03:24,350
‫The attacker sends a sinek to the zombie since a zombie does not expect the packet, it sends back a

44
00:03:24,350 --> 00:03:25,670
‫wrist with an iPad.

45
00:03:26,510 --> 00:03:31,490
‫The second step is to forge a signed packet from the zombie to the target system.

46
00:03:32,270 --> 00:03:37,340
‫The target filtering its port ignores the sin that appears to come from the zombie.

47
00:03:37,820 --> 00:03:42,230
‫The zombie is unaware that anything happened, so its iPad remains the same.

48
00:03:43,420 --> 00:03:49,420
‫Third step is to probe the zombies rapid again, the attacker sends a sinek to the zombie again.

49
00:03:50,720 --> 00:03:57,110
‫The risk packet of the zombie as an iPad, which is increased by only one since the first step, so

50
00:03:57,440 --> 00:03:58,640
‫the port is not open.

51
00:03:58,760 --> 00:04:04,610
‫So from the attacker's point of view, the filtered port is indistinguishable from a closed port.

52
00:04:05,020 --> 00:04:09,680
‫You see why, in both cases, the iPad is increased by only one.

53
00:04:10,520 --> 00:04:11,960
‫So let's have an idle scan.

54
00:04:13,690 --> 00:04:18,790
‫To be able to perform an idol scan, we first need to have a zombie computer on the network, which

55
00:04:18,790 --> 00:04:21,340
‫has incremental Ipid's sequencing.

56
00:04:22,030 --> 00:04:26,650
‫Hopefully, we have an end map script to help us find a computer appropriate to become a zombie.

57
00:04:27,340 --> 00:04:32,100
‫I know the name of the script starts with IPD and put a star.

58
00:04:32,110 --> 00:04:36,340
‫Now here's the script Ipid's Que and AC.

59
00:04:37,500 --> 00:04:42,240
‫To use this grip, tape and map script, iPads, CQ.

60
00:04:43,430 --> 00:04:49,700
‫And now our IP block one seven two eight one six nine nine zero 24.

61
00:04:51,060 --> 00:04:53,940
‫They keep it simple, let's scan just the top two port.

62
00:04:57,690 --> 00:04:59,880
‫And here are the results, so let's analyze them.

63
00:05:03,670 --> 00:05:10,870
‫Ninety nine point one is my whole system, it's a Mac, and as you see, iPad is randomized, nineteen

64
00:05:10,870 --> 00:05:13,570
‫point two is the gateway of my virtual LAN.

65
00:05:13,570 --> 00:05:16,420
‫And yes, it has incremental ID sequencing.

66
00:05:17,230 --> 00:05:19,030
‫It can be used as a zombie system.

67
00:05:19,120 --> 00:05:19,630
‫Good I.

68
00:05:21,430 --> 00:05:24,310
‫Nine nine, two one three nine is a Linux system.

69
00:05:24,820 --> 00:05:31,870
‫It's Ipid sequence is all in zero nine nine two zero six is our target Metasploit of all.

70
00:05:33,570 --> 00:05:36,990
‫Nine, nine, two, two two is our colleague machine.

71
00:05:37,470 --> 00:05:44,040
‫It's Ipid's sequence is incremental, so it's actually another zombie candidate, but it's already the

72
00:05:44,040 --> 00:05:47,220
‫attack itself so that it makes sense to use it as a zombie.

73
00:05:47,590 --> 00:05:49,820
‫But I understand you.

74
00:05:49,830 --> 00:05:51,030
‫Yes, it might be fun.

75
00:05:52,310 --> 00:05:57,040
‫All right, now, we're going to use nine, nine two as a zombie.

76
00:05:59,670 --> 00:06:07,170
‫So here's the end map idol scan query as upper case I do Idol Scan now put the IP address of the zombie.

77
00:06:08,050 --> 00:06:12,490
‫I want to use my host machine first, which has a randomized Ipid's sequence.

78
00:06:13,740 --> 00:06:21,260
‫Not necessarily, but I think it's a good habit, P, N and N Target Systems IP.

79
00:06:23,840 --> 00:06:30,230
‫So as you see and Map says, the Zombies Ipid's sequence class is randomized, so we should find another

80
00:06:30,230 --> 00:06:30,650
‫system.

81
00:06:31,970 --> 00:06:37,220
‫So what do you think about using a zombie system with an all zeros Ipid's sequence class?

82
00:06:37,370 --> 00:06:37,580
‫Hmm.

83
00:06:38,300 --> 00:06:40,880
‫As you see, again, it's just not suitable to be a zombie.

84
00:06:42,060 --> 00:06:47,610
‫Now, is it time to use this system, which has an incremental Ipid's sequence class?

85
00:06:48,060 --> 00:06:52,230
‫So again, to keep it quick and simple, I'll just scan the top three put.

86
00:06:54,320 --> 00:06:58,550
‫And yes, scan is completed successfully to compare the results.

87
00:06:58,820 --> 00:07:06,440
‫I'd like to have a sign scan in another terminal screen with the same conditions for its 23 and 80 are

88
00:07:06,470 --> 00:07:07,670
‫open in both scans.

89
00:07:09,410 --> 00:07:15,560
‫According to Since Scan, Port 443 is closed now, we know that the idle scan cannot distinguish the

90
00:07:15,560 --> 00:07:17,540
‫closed board from the filtered port.

91
00:07:17,810 --> 00:07:25,160
‫It flagged Port 443 as closed or filtered, so let's run the last query with reason.

92
00:07:25,430 --> 00:07:26,150
‫Option again.

93
00:07:30,820 --> 00:07:37,900
‫As you see, ports 23 and 80 are flagged as open because IPID has changed each time.

94
00:07:38,870 --> 00:07:43,520
‫Since the iPad has not changed, report four, four three, its flag disclosed or filtered.