How does nmap do a zombie and decoy scan?

The basic idea of a Zombie or Idle scan is to send source-spoofed packets to the target, then observe some state change in the TCP/IP stack of the machine with the spoofed source address. The original method, discovered in 1998, used the IP ID field to observe the state.

Nmap's -sI Idle Scan is a good implementation that is able to query the Zombie/Idle host to determine its algorithm for incrementing the IP ID field; in some cases, it increments by 2 or by 256. It is up to the user to choose an appropriate Zombie host. By performing a scan with the -O (OS fingerprinting) and -v (verbose) flags, the user can find machines which have an incremental IP ID sequence, then target them with Nping or another packet crafting tool to identify those that are not experiencing a lot of traffic. The "Idle" part of the scan means that the Zombie must be mostly idle (not communicating with other hosts) in order for the scan to work. Finally, the scan is conducted using a command like you posted: nmap -Pn -sI zombieIP targetIP

The technique goes something like this:

  1. Nmap probes the Zombie to determine its IP ID sequence class and the current value it is using.
  2. Nmap then sends TCP SYN packets to various ports on the target, but spoofs the source address to be that of the Zombie.
  3. During the scan, Nmap continually probes the Zombie to find out how many packets it has sent. Expecting one packet per probe, if it finds that two packets have been sent, it can assume that the other one was a RST packet in response to the target's SYN/ACK, indicating an open port.

In version 6.45, Nmap added the ability to do Idle scans over IPv6. The technique is similar, but uses the IPv6 Fragmentation ID field instead. The technique was discovered by Mathias Morbitzer, and will be available in the next release of Nmap.


Decoy scans are a much-less-interesting technique. All packets originate from your scanning machine, but some have spoofed source addresses. Any replies to these spoofed sources will not arrive at your scanner, so they cannot be used to determine port states. This technique only serves to confuse port scan detection, and does not offer any information beyond a regular scan.

Tags:

Nmap