If an attacker’s computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning,
what will be the response?
A.
The zombie will not send a response
B.
31402
C.
31399
D.
31401
Get 50% Discount on All Your Purchases
at PrepAway.com - Latest Exam Questions
This is ONE TIME OFFER
50%
IDLE scanning: a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available.
This is accomplished by impersonating another computer called a “zombie” (that is not transmitting or receiving information) and observing the behavior of the “zombie” system.
IDLE scans take advantage of predictable Identification field value from IP header: every IP packet from a given source has an ID that uniquely identifies fragments of an original IP datagram; the protocol implementation assigns values to this mandatory field generally by a fixed value (1) increment.
– Attacker would first scan for a host with a sequential and predictable sequence number (IPID).
– Send a SYN packet to target computer, spoofing IP address from zombie.
– If port of target computer is open, it will accept connection and respond with a SYN/ACK packet back to zombie.
– Zombie will then send a RST packet to the target computer (to reset the connection) because it did not actually send the SYN packet in the first place.
– Since zombie had to send the RST packet it will increment its IPID and this is how attacker would find out if the targets port is open.
Source: https://en.wikipedia.org/wiki/Idle_scanv