312-49 · Question #286
312-49 Question #286: Real Exam Question with Answer & Explanation
The correct answer is C: 31401. In IDLE (zombie) scanning, the attacker exploits the predictable IP Identification (IPID) field of a passive 'zombie' host. When the zombie receives a packet and responds, it increments its IPID counter by 1 for each outgoing packet. If the last observed IPID was 31400, the zombi
Question
If an attacker's computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?
Options
- A31402
- BThe zombie will not send a response
- C31401
- D31399
Explanation
In IDLE (zombie) scanning, the attacker exploits the predictable IP Identification (IPID) field of a passive 'zombie' host. When the zombie receives a packet and responds, it increments its IPID counter by 1 for each outgoing packet. If the last observed IPID was 31400, the zombie's next outgoing packet will carry IPID 31401. This incremental behavior is the core mechanism IDLE scanning exploits: if the target port is open, the target sends a SYN/ACK to the zombie (because the attacker spoofed the zombie's IP), causing the zombie to respond with a RST, incrementing its IPID by 1. The attacker then probes the zombie again and sees the increment, revealing the port state. A single-step increment of +1 is the expected response for one interaction on an open port.
Topics
Community Discussion
No community discussion yet for this question.