Thread: BuYS - Question on NMap (-sI)

Hey let the time frame be 24 hours . That way we could get more questions

Check your pm I have answered

K .. I am posting the answer

prashant's answer >>

I think its an idle scan, I had read about it from b0nd bro's post. Its used to carry out a stealth scan which cannot be caught. This type of scan is tough to launch as it requires a zombie host too. PN is used when pings are blocked by firewall, so as to check the availability of target when it seems to be dead from normal scan.

* I think the first IP address is of zombie host and the second when is the target host.

fb1h2s' answer >>

192.168.0.20 is zombie ip
0.55 target
-PN ping not " wont ping the host" help in case of few firwall rules

s is for zombieeee uses a spoofed IP adress as a decoy

Wht type of scan well version(banner grabing) is checked so definetly a full scan

192.168.0.20 is zombie station.

192.168.0.55 is the target station to be scanned (which can be behind a firewall).

This type of nmap scanning is called Idlescan where increase in IPID values is calculated to know whether a port on target is open or not.



(Screenshots from Prof Messer Nmap secret training)

-PN is for the not pinging the target directly anytime in the scanning process.

Thanks for answering guys and thanks to b0nd for pointing out that -P0 is deprecated now.

Well turn for someone else now to ask a question

Hey I got a doubt , how does nmap check the version when a half -syn scan only is done, some one please clear this doubt.

I will delete this doubt question right after I get some help

how does nmap check the version when a half -syn scan only is done,

Do you mean version of OS/Application/Service ? :O
Only open ports can be detected by this method.OS fingerprinting,application,services detection is not possible by this method.

Version detection will use a full tcp connect. That's the reason it's a separate option.
You always have wireshark to prove it to yourself.

And why would you want to delete your post. It's always helpful to others.

Originally Posted by webdevil

And why would you want to delete your post. It's always helpful to others.

Right.

To keep things clean, a separate sub forum has been created for such active discussions. Dedicate a new thread to every new question. Hence no need to delete any "doubt" or cross question under the concern of keeping forum clean. Shoot as many as you can


Rgds

Oh ok a separate thread for each discussion thts fine then , so doubts could be still here

So we use a decoy for being anonymous and half scan is done, but then when we use the -V flag then the point of doing a spoofed scan becomes pointless right ??

Originally Posted by fb1h2s

Oh ok a separate thread for each discussion thts fine then , so doubts could be still here

So we use a decoy for being anonymous and half scan is done, but then when we use the -V flag then the point of doing a spoofed scan becomes pointless right ??

Though digging an old thread but intention is to clear few things so that beginners shall not get confused.
1. -v or -V are not -sV

In the first thread '-v' is used which is for verbose output
-V is to check the version of NMap
-sV is for service detection

Your point is valid Fb1. It doesn't make sense using decoy and doing service detection.

Cheers!