312-50V10 · Question #856
What firewall evasion scanning technique make use of a zombie system that has low network activity as well as its fragment identification numbers?
The correct answer is D. Idle scanning. Idle scanning uses a zombie host's predictable IP fragment identification (IP ID) sequence numbers to stealthily probe a target without revealing the attacker's real IP address.
Question
What firewall evasion scanning technique make use of a zombie system that has low network activity as well as its fragment identification numbers?
Options
- ADecoy scanning
- BPacket fragmentation scanning
- CSpoof source address scanning
- DIdle scanning
How the community answered
(25 responses)- B4% (1)
- C4% (1)
- D92% (23)
Why each option
Idle scanning uses a zombie host's predictable IP fragment identification (IP ID) sequence numbers to stealthily probe a target without revealing the attacker's real IP address.
Decoy scanning obscures the real scanner by mixing spoofed source IPs into the scan traffic, but it does not use a zombie host or rely on monitoring fragment identification numbers to infer port state.
Packet fragmentation scanning splits TCP/IP headers across multiple small packets to bypass stateless firewall inspection, and has no dependency on a zombie system or IP ID analysis.
Spoof source address scanning simply forges the source IP on outgoing packets but does not involve selecting a zombie with low activity or measuring its IP ID increments to determine target port status.
Idle scanning exploits a zombie system that has very low network activity so its IP ID numbers increment predictably and in isolation. The attacker probes the zombie's IP ID before and after sending a spoofed SYN packet to the target on the victim's behalf - if the zombie's IP ID increments by 2, the target port is open; by 1, it is closed - all without the attacker's IP address appearing in any target logs.
Concept tested: Nmap idle scan using zombie IP ID numbers
Source: https://nmap.org/book/idlescan.html
Topics
Community Discussion
No community discussion yet for this question.