Re: Changing Source Port For Nmap Idle Scan

From: Joachim Schipper (
Date: 03/28/05

  • Next message: Dan Tesch: "Nessus Plugins"
    Date: Mon, 28 Mar 2005 21:02:08 +0200

    On Mon, Mar 28, 2005 at 02:50:47AM -0000, SecureHacK wrote:
    > Hello I have a quick question I have been experimenting with idle scanning and I have read the paper on it and I have an understanding of what goes on during the process I am also an avid nmap user.What I am trying to figure out is is there anyway to change the port to use during the idle scan by default it's port 80 so using the -g option it should change the source port to whatever I want I have used this option but it still only uses port 80 is this changeable? For example find a machine with port 139 open could we change our source port to 139 and use that?
    > Cheers

    It's in TFMP (for 3.75 at least), see the following snippet (in
    particular the last pararaph) from nmap(1):

           -sI <zombie host[:probeport]>
                  Idlescan: This advanced scan method allows for a truly blind TCP
                  port scan of the target (meaning no packets are sent to the tar-
                  get from your real IP address). Instead, a unique side-channel
                  attack exploits predictable "IP fragmentation ID" sequence gen-
                  eration on the zombie host to glean information about the open
                  ports on the target. IDS systems will display the scan as com-
                  ing from the zombie machine you specify (which must be up and
                  meet certain criteria). I wrote an informal paper about this
                  technique at .

                  Besides being extraordinarily stealthy (due to its blind
                  nature), this scan type permits mapping out IP-based trust rela-
                  tionships between machines. The port listing shows open ports
                  from the perspective of the zombie host. So you can try scan-
                  ning a target using various zombies that you think might be
                  trusted (via router/packet filter rules). Obviously this is
                  crucial information when prioritizing attack targets. Other-
                  wise, you penetration testers might have to expend considerable
                  resources "owning" an intermediate system, only to find out that
                  its IP isn't even trusted by the target host/network you are
                  ultimately after.

                  You can add a colon followed by a port number if you wish to
                  probe a particular port on the zombie host for IPID changes.
                  Otherwise Nmap will use the port it uses by default for "tcp

    Good luck,


  • Next message: Dan Tesch: "Nessus Plugins"