Idle Scans with Nmap

An idle scan, denoted as -sI in Nmap’s syntax, is an advanced and covert method for performing TCP port scans on a target system. This technique is unique because it allows for a blind port scan, where no packets are sent directly to the target from the attacker’s real IP address. Instead, it utilizes a zombie host to relay the scan, making the activity nearly undetectable and extremely stealthy.

How do idle scans work?

Idle scans work by exploiting a side channel in the TCP/IP protocol. It leverages the predictable nature of IP fragmentation ID sequence generation in the zombie host. The attacker sends crafted packets to the target system but with the source address spoofed to that of the zombie host.

Get hands-on with 1400+ tech skills courses.