Idle Scan: Which scan uses a zombie host and relies on IPID behavior?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the Nmap/ZenMap Switches Test. Prepare with flashcards and multiple choice questions, each question provides hints and explanations. Get ready for your exam!

Multiple Choice

Idle Scan: Which scan uses a zombie host and relies on IPID behavior?

Explanation:
Idle Scan tests the ability to perform a stealthy port scan by exploiting a zombie host whose IPID sequence is predictable. In this technique, you use a compromised machine as a conduit and craft probes that appear to come from the zombie to the target. The target’s replies go to the zombie, not to you, so you can’t see them directly. Instead, you observe how the zombie’s IPID field changes over time and use those changes as a side channel to infer whether the target port responded to the spoofed probe. If the IPID increments in a way that matches the zombie receiving a response from the target, the port is considered open; if not, it’s treated as closed. This approach relies on the zombie and predictable IPID behavior, which is the hallmark of this scan type. Other scan methods don’t use a zombie or IPID side channels: a list scan only enumerates targets without probing ports, a null scan uses packets with no flags to provoke predictable responses, and a TCP connect scan completes a handshake from the scanner’s own IP, not via a zombie or IPID timing.

Idle Scan tests the ability to perform a stealthy port scan by exploiting a zombie host whose IPID sequence is predictable. In this technique, you use a compromised machine as a conduit and craft probes that appear to come from the zombie to the target. The target’s replies go to the zombie, not to you, so you can’t see them directly. Instead, you observe how the zombie’s IPID field changes over time and use those changes as a side channel to infer whether the target port responded to the spoofed probe. If the IPID increments in a way that matches the zombie receiving a response from the target, the port is considered open; if not, it’s treated as closed. This approach relies on the zombie and predictable IPID behavior, which is the hallmark of this scan type. Other scan methods don’t use a zombie or IPID side channels: a list scan only enumerates targets without probing ports, a null scan uses packets with no flags to provoke predictable responses, and a TCP connect scan completes a handshake from the scanner’s own IP, not via a zombie or IPID timing.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy