What is an idle (s0) scan and how does -sI <zombie> work?

• A. Idle scan uses a zombie host to spoof traffic
• B. Idle scan detects active hosts using ping
• C. Idle scan uses UDP probes
• D. Idle scan scans IPv6 only

Answer: (B)

Idle scanning uses a zombie host as a timing controller to infer port states without sending direct probes from your machine. The scanner spoofs the zombie’s IP address when contacting the target, so the target’s replies go to the zombie, not to you. By watching how the zombie’s IPID field changes between carefully timed measurements, the scanner can determine whether the target port is open, closed, or filtered. The -sI <zombie> switch tells Nmap to perform this idle scan and specifies which host to use as the zombie. This method hinges on predictable IPID behavior from the zombie and is not primarily about ping-based host discovery, UDP probes, or IPv6-only scanning.

Idle scanning uses a zombie host as a timing controller to infer port states without sending direct probes from your machine. The scanner spoofs the zombie’s IP address when contacting the target, so the target’s replies go to the zombie, not to you. By watching how the zombie’s IPID field changes between carefully timed measurements, the scanner can determine whether the target port is open, closed, or filtered. The -sI switch tells Nmap to perform this idle scan and specifies which host to use as the zombie. This method hinges on predictable IPID behavior from the zombie and is not primarily about ping-based host discovery, UDP probes, or IPv6-only scanning.