Nmap – Locating Idle Scan Zombies and FTP Bounce Servers

So, ambulance having read my previous posts on Idle Scanning and FTP Bounce, you may be interested in finding useable boxes.

Now, as I suggested, you could scan for printers or other embedded devices, they make fucking AMAZING Idle Scan hosts. However, there is an nmap script here which is excellent for checking a host to see is it useable, by checking how its IPID sequence works.

Meet ipidseq.nse

ipidseq.nse is basically a test script, that tells you if you can use a host for Idle Scans. So, assuming you want a fair few zombies, lets scan 1000 hosts in the hope of finding a few good ones!

root@bha:~# nmap -iR 1000 —script ipidseq -T5 -v -oA zombies

The above scan will scan 1000 random IP addresses using the ipidseq script, testing them to see are they useable as zombies. I am using T5 here as scanning ranges slowly is BORING :P

The -oA zombies will create three “Output Files”. zombies.xml (XML format of scan), zombies.nmap (normal output), and a third “grepable” version – zombies.gnmap. You can then extract the useable hosts from said list using grep or similar, or just scroll through, copy, paste, like myself…

“So we found us some Zombies. What about those Bouncy FTP servers then?”

Well, nmap again has the solution to this problem. The ftp-bounce.nse script. We will use it in a very similar manner to the ipidseq script…

root@bha:~# nmap -iR 1000 —script ftp-bounce -T5 -v -oA bouncyFTP

This does the same as above, except instead it outputs lists of FTP servers we can “Bounce” via! Useful, no?

BONUS ROUND! Finding Anonymous FTP Servers for stashin’ yo’ warez!

So. Say you want to store/share a bunch of files and need some storage, or just like rummaging through open FTP servers (likely in search of other peoples warez and such… Never know, might find someones super secret 0day stash!).

How do we go about doing such a thing? Well, Guess what? nmap, yet again, solves this problem with the ftp-anon script.

Now, as above, you simply use it like so…

root@bha:~# nmap —script ftp-anon -T5 -iR 1000 -v -oA ftpAnon

Remember – with these you can always scan actual *ranges* instead of my “scan 1000 random hosts” idea, and this is VERY useful for auditing internal networks! Or some specific target networks… I know some web hosting firms may be VERY interested in scanning their own ranges for anonymous FTP setups to detect illegal piracy and such!

Remember, ask before you scan!

Nmap – Idle Scan

So, for sale in part one 1 I briefly described several of nmaps IDS/IPS/Firewall evasion techniques, and in this installment (a brief one) I hope to quickly go over another amazing technique: The Idle Scan. This is also kind of a rough article to add to the nmap wiki page on http://blackhatacademy.org , pharmacy which is reopening sometime soon with LOADS of AWESOME new content!

Idle scanning is an INCREDIBLY sneaky scan technique which nmap can implement. The awesome thing about idle scan is that it allows you to scan a host WITHOUT EVER SENDING PACKETS TO IT.

How this works is actually fairly simple, though I must admit it was pretty friggin mind-bending the first time I looked into it. Please note: Idle scans MAY still set off the victims IDS, so I advise -T0 with this, and a hell of a lot of patience. However, seeing as you are not really touching the victim at all (well, the packets don’t seem to come from you, ever) it is fairly safe method.

So, how DOES it work?
Well, I must admit: I am NO expert on TCP/IP – I know a bit, but still have a lot to learn. But, essentially, it uses the IPID field in IP packets. In a basic sense, you find a host that is “idle” – i.e. little to no traffic coming to/from it, and that is your “zombie host”. All scanning activities will APPEAR to be coming from this host.

You send your scan packets TO the victim host (yes, you can use all the fragmentation and such I discussed earlier here, just I do not think traditional decoy’s work – I will have to check this though), pretending to be the zombie host.
Before you send a packet to the target, you send one to the zombie, to get its current IPID.

Now for the cool part. When a box recieves a RST, its IPID does NOT increment/change as RST packets are not replied to (assuming the zombie host is one with a predictable IPID sequence – a lot of boxes just increment by one. Hint from ohdae – Printers!).
HOWEVER, when a host receives a SYN-ACK, its IPID DOES change.

So. When your scan hits an OPEN port on the victim, it replies with a SYN-ACK to the Zombie host. This causes the zombie’s IPID to increment, and when you re-probe the zombie host, its IPID will have incremented.
When you hit a CLOSED port on victim, it sends a RST to Zombie, and… Zombie’s IPID does NOT increment. So, by slowly probing Zombie immediately before + after sending packets to the Victim, you can INDIRECTLY find out what ports on the Victim are open…

Caveat: This scan does have some inherent “fudge factor” and inaccuracy, but by repeating the test a bunch of times you can solve this problem. nmap also seems to have some kind of “magic” that helps here…

For more information on idlescan in nmap: http://nmap.org/book/idlescan.html

Nmap’s man pages make a PARTICULARLY interesting point: What if, you use Zombie(s) that you think might be considered “trusted hosts” by the victim? This is a VERY interesting way of navigating firewalls and such… Think it over…
(Pointer: Say the victims have an exposed network printer that you KNOW is on their internal network. How about zombie scanning their intranet from the outside due to this misconfiguration? Shit like this is why guys like me look like friggin ninjas sometimes (also, yes, I am currently in a state of sleep deprivation, and exhausted. Cut me some slack :P )…)

ANYWAYS, now to the usage:

root@bha:~# nmap -sI zombie.com:23 -T0 victim.tld

This would scan victim.tld, using zombie.com as its “Zombie Host”, and sending the probes to Zombie on port 23 (note: you do need an open port on the zombie for this… The default is 80)

I was going to write more, but then realized that I have not a lot more to say on this. Except that I will be re-writing it and drawing a diagram for the wiki article on Blackhat Academy. http://blackhatacademy.org