land #16359, docs for ipidseq aux module

Author: h00die

documentation/modules/auxiliary/scanner/ip/ipidseq.md

@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+This `auxiliary/scanner/ip/ipidseq` module will probe hosts' IPID sequences and classify them
+using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O).
+
+The module should only be used in internal networks.  Additionally, administrative/root permissions
+are required to successfully capture on the device/interface.
+
+Possible methods of IPID generation:
+
+1. Unknown
+2. Randomized
+3. All zeros
+4. Random positive increments
+5. Constant
+6. Broken little-endian incremental
+7. Incremental
+
+### Nmap Idle Scan
+
+Nmap's probes are SYN/ACKs while this module's are SYNs.
+While this does not change the underlying functionality,
+it does change the chance of whether or not the probe will be stopped by a firewall.
+
+Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental".
+
+More information: https://nmap.org/book/idlescan.html
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/ip/ipidseq`
+1. Do: `set RHOSTS [ip]`
+1. Do: `run`
+
+## Options
+
+### SNAPLEN
+The number of bytes to capture. Defaults to `65535`.
+
+### GATEWAY_PROBE_HOST
+Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC. Defaults to `8.8.8.8`.
+
+### SAMPLES
+The IPID sample size. Must be greater than `2`. Defaults to `6`.
+
+### SECRET
+A 32-bit cookie for probe requests. Defaults to `1297303073`.
+
+## Scenarios
+
+### Example Incremental
+
+```
+msf6 auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.0.20.254
+RHOSTS => 10.0.20.254
+msf6 auxiliary(scanner/ip/ipidseq) > exploit
+
+[*] 10.0.20.254's IPID sequence class: Incremental!
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```