Spoofing the origin IP of a scan
Idle scanning is a very old technique where Nmap takes advantage of an idle host with a predictable IP ID sequence number to spoof the origin IP of a port scan.
This recipe illustrates how to find zombie hosts and use them to spoof your IP address when scanning a remote host with Nmap.
Getting ready
To launch an idle scan, we need a zombie host. A zombie host is a machine with a predictable IP ID sequence number that will be used as the spoofed IP address. A good candidate must not be communicating with other hosts in order to maintain the correct IP ID sequence number and avoid false positives.
To find hosts with an incremental IP ID sequence, you could use the ipidseq
script as follows:
#nmap -p80 --script ipidseq <your ip>/24 #nmap -p80 --script ipidseq -iR 1000
Possible candidates will return Incremental
in the script's output section:
Host is up (0.28s latency). PORT STATE SERVICE 80/tcp open    ...