If an attacker’s computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an
open port, what will be the response?
A.
31400
B.
31402
C.
The zombie will not send a response
D.
31401
Explanation:
31402 is the correct answer.
Get 50% Discount on All Your Purchases
at PrepAway.com - Latest Exam Questions
This is ONE TIME OFFER
50%
Fundamentally, an idle scan consists of three steps that are repeated for each port:
Probe the zombie’s IP ID and record it.
Forge a SYN packet from the zombie and send it to the desired port on the target. Depending on the port state, the target’s reaction may or may not cause the zombie’s IP ID to be incremented.
Probe the zombie’s IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.
After this process, the zombie’s IP ID should have increased by either one or two. An increase of one indicates that the zombie hasn’t sent out any packets, except for its reply to the attacker’s probe. This lack of sent packets means that the port is not open (the target must have sent the zombie either a RST packet, which was ignored, or nothing at all). An increase of two indicates that the zombie sent out a packet between the two probes. This extra packet usually means that the port is open (the target presumably sent the zombie a SYN/ACK packet in response to the forged SYN, which induced a RST packet from the zombie). Increases larger than two usually signify a bad zombie host. It might not have predictable IP ID numbers, or might be engaged in communication unrelated to the idle scan.
http://nmap.org/book/idlescan.html
I think this question should be modified as below:
If an attacker’s computer receives an IPID of 31400 from a zombie at the beginning of an Idle Scan, what will be the response at the end of an Idle Scan from the zombie if the real target port is open?
31402