Scanning Networks— The idle scan

Idle scan is a tcp-stealth network scanning technique. In the idle scan, the scanner will use an idle host to scan the target host. An Idle host is a connected host, yet doesn’t have any (or very less) network activity with its connected network.

  1. Scanner host will first send a TCP SYN-ACK request to idle host. And the idle host will respond with an RST. Objective of this step is to find out the ipid value of idle host. In many OS’s tcp stack implementation this will increment by one in the each tcp packet it send.
  2. Secondly, the scanner host makes a TCP SYN request to the target host, but will spoof the ip address of the idle host, so that the target host will see as if the packet was originated from idle host.
  3. Assuming the target host is running the particular service, and open for incoming connections. It will send a SYN-ACK request according to TCP handshake protocol to the idle host. And idle host will respond with an RST, with ipid increment by one.
  4. Scanner host will send another SYN-ACK request to the idle host. And record the ipid field it get backs in the RST packet send by idle host.

Now based on values we got for ipid in step 1 and 4. And assuming no other tcp activity took place in idle host. If the value is increment by two, the scanner can assume that the step 2 has actually took place. And the port is open. If port was closed then target host would have send an RST instead and idle host will not respond to an RST, according to the tcp protocol. In that case the ipid would have only increment only by one.

Now to practically try out the idle scan, I made following set up.

I have a network of guest os’s compose of Kali linux - the scanner’s host, windows server - the idle host, metasploitable - the target host.

Kali is shipped with nmap, which support idle scan out of box. And metasploitable is shipped with many tcp services started with os boot, which is a great practice ground. And most importantly I selected the idle host to be windows since the ipid generation class is incremental in windows hosts.

nmap -sI -p 80

Here the idle host ip is, and am trying to see if port 80 is up in the target host which is

Following two screenshots are from a packet trace run while the testing in progress, in the scanner’s host.

Highlighted is the the RST that the scanner’s host got from idle host.

Before sending the spoofed SYN packet the idle host has the ipid of 2416.

In the final SYN-ACK test idle host has responded an RST with the ipid of 2418. Where we come to the conclusion that port 80 is up and running in target host.

Idle scan is slow and require prerequisites such as the need for and idle host. But its a mode of stealth scan, where target system won’t have a clue of scan packet were actually origination. This is a good form of evading firewalls, IDS, and IPS’s.