You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This ```auxiliary/scanner/ip/ipidseq``` module will probe hosts' IPID sequences and classify them using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O).
3
+
This `auxiliary/scanner/ip/ipidseq` module will probe hosts' IPID sequences and classify them
4
+
using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O).
4
5
5
-
More information: https://nmap.org/book/idlescan.html
6
+
The module should only be used in internal networks.
6
7
7
-
Nmap's probes are SYN/ACKs while this module's are SYNs.
8
-
While this does not change the underlying functionality, it does change the chance of whether or not the probe will be stopped by a firewall.
8
+
Possible methods of IPID generation:
9
+
1. Unknown
10
+
2. Randomized
11
+
3. All zeros
12
+
4. Random positive increments
13
+
5. Constant
14
+
6. Broken little-endian incremental!
15
+
7. Incremental!
9
16
10
-
Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental".
17
+
The module should only be used in internal networks.
18
+
19
+
### Nmap Idle Scan
20
+
21
+
Nmap's probes are SYN/ACKs while this module's are SYNs.
22
+
While this does not change the underlying functionality,
23
+
it does change the chance of whether or not the probe will be stopped by a firewall.
24
+
25
+
Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental".
26
+
27
+
More information: https://nmap.org/book/idlescan.html
11
28
12
29
## Verification Steps
13
30
14
-
1. Start msfconsole
15
-
1. Do: `use auxiliary/scanner/ip/ipidseq`
16
-
1. Do: `set RHOSTS [ip]`
17
-
1. Do: `run` or `exploit`
31
+
1. Start msfconsole
32
+
1. Do: `use auxiliary/scanner/ip/ipidseq`
33
+
1. Do: `set RHOSTS [ip]`
34
+
1. Do: `run` or `exploit`
18
35
19
36
## Options
20
37
21
-
```
22
-
Basic options:
23
-
Name Current Setting Required Description
24
-
---- --------------- -------- -----------
25
-
INTERFACE no The name of the interface
26
-
RHOSTS 10.0.20.254 yes The target host(s)
27
-
RPORT 80 yes The target port
28
-
SNAPLEN 65535 yes The number of bytes to capture
29
-
THREADS 1 yes The number of concurrent threads (max one per host)
30
-
TIMEOUT 500 yes The reply read timeout in milliseconds
31
-
```
38
+
### SNAPLEN
39
+
The number of bytes to capture
32
40
33
-
### Advanced Options
34
-
```
35
-
Name Current Setting Required Description
36
-
---- --------------- -------- -----------
37
-
GATEWAY_PROBE_HOST 8.8.8.8 yes Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC
38
-
GATEWAY_PROBE_PORT no The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)
39
-
SAMPLES 6 yes The IPID sample size
40
-
SECRET 1297303073 yes A 32-bit cookie for probe requests.
41
-
ShowProgress true yes Display progress messages during a scan
42
-
ShowProgressPercent 10 yes The interval in percent that progress should be shown
43
-
VERBOSE false no Enable detailed status messages
44
-
WORKSPACE no Specify the workspace for this module
41
+
### GATEWAY_PROBE_HOST
42
+
Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC
45
43
46
-
```
44
+
### SAMPLES
45
+
The IPID sample size. Must be greater than 2.
47
46
48
-
Required Options:
49
-
1. RHOSTS
47
+
### SECRET
48
+
A 32-bit cookie for probe requests.
50
49
51
50
52
51
## Scenarios
53
-
Possible output:
54
-
1. Unknown
55
-
2. Randomized
56
-
3. All zeros
57
-
4. Random positive increments
58
-
5. Constant
59
-
6. Broken little-endian incremental!
60
-
7. Incremental!
61
52
62
-
63
-
### Example Incremental
53
+
### Example Incremental
64
54
65
55
```
66
56
msf6 auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.0.20.254
0 commit comments