nerdexam
EC-Council

312-50V10 · Question #856

What firewall evasion scanning technique make use of a zombie system that has low network activity as well as its fragment identification numbers?

The correct answer is D. Idle scanning. Idle scanning uses a zombie host's predictable IP fragment identification (IP ID) sequence numbers to stealthily probe a target without revealing the attacker's real IP address.

Evading IDS, Firewalls, and Honeypots

Question

What firewall evasion scanning technique make use of a zombie system that has low network activity as well as its fragment identification numbers?

Options

  • ADecoy scanning
  • BPacket fragmentation scanning
  • CSpoof source address scanning
  • DIdle scanning

How the community answered

(25 responses)
  • B
    4% (1)
  • C
    4% (1)
  • D
    92% (23)

Why each option

Idle scanning uses a zombie host's predictable IP fragment identification (IP ID) sequence numbers to stealthily probe a target without revealing the attacker's real IP address.

ADecoy scanning

Decoy scanning obscures the real scanner by mixing spoofed source IPs into the scan traffic, but it does not use a zombie host or rely on monitoring fragment identification numbers to infer port state.

BPacket fragmentation scanning

Packet fragmentation scanning splits TCP/IP headers across multiple small packets to bypass stateless firewall inspection, and has no dependency on a zombie system or IP ID analysis.

CSpoof source address scanning

Spoof source address scanning simply forges the source IP on outgoing packets but does not involve selecting a zombie with low activity or measuring its IP ID increments to determine target port status.

DIdle scanningCorrect

Idle scanning exploits a zombie system that has very low network activity so its IP ID numbers increment predictably and in isolation. The attacker probes the zombie's IP ID before and after sending a spoofed SYN packet to the target on the victim's behalf - if the zombie's IP ID increments by 2, the target port is open; by 1, it is closed - all without the attacker's IP address appearing in any target logs.

Concept tested: Nmap idle scan using zombie IP ID numbers

Source: https://nmap.org/book/idlescan.html

Topics

#idle scanning#zombie system#firewall evasion#IP ID sequence

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice