hi. just here to make sure i didnt miss anything.
in task 10 they are asking to preform an idle scan in order to determine if port 135 is open at one of the following hosts:
10.50.96.105/110/115
i spent some time trying the idle scan on the targets shown at the tasks and it didnt work for me.
the solutions doesnt contain any of these hosts. but they contain idle scan on host 10.50.97.5.
plus the port 135 on the 10.50.97.5 (the host INE were showing the idle scan on) already discovered as open in the previous tasks.
also i didnt get how the telnet service enabled at one of the hosts at 10.50.96.0/24 is related to if port 135 is open. can someone explain it to me?
just here to make sure if thats the case or i just missed it.
thank you
Original post by levievalon469
I was wondering exactly the same.
I used 10.50.97.25 port 1026 for my zombie, as both nmap and hping were showing incremental ID.
Launched an idle scan with nmap and it showed initially port 23 open on 10.50.96.105… then, after this first scan, I wasn’t able to replicate the scan again. I have tried different port both for zombie and target (I tried port 135 as stated in the lab instructions and I tried port 23 as well on all 105/110/115 targets)…
Apart from the first lucky result, I couldn’t replicate any other time, nor understand what was going on.
I also tried the manual method with hping but on all target hosts, with port 23 and 135 I was having a similar result.
Any help?
Original reply by L30C
Hi, I have a similar situation.
Could not get anything with idle scan with nmap.
However, I made an idle scan with hping, to scan port 135 of 10.50.96.105/110/115 and it seems that
the port was open, or at least this is what I think. Below is the output from hping3. It still think the values of ID incremental are odds.
The output was similar for the 3 hosts I scanned.
len=44 ip=10.50.97.10 ttl=127 DF id=+1 sport=135 flags=SA seq=33 win=64240 rtt=325.0 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+1 sport=135 flags=SA seq=34 win=64240 rtt=252.8 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+1 sport=135 flags=SA seq=35 win=64240 rtt=172.8 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+1 sport=135 flags=SA seq=36 win=64240 rtt=300.5 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+1 sport=135 flags=SA seq=37 win=64240 rtt=276.3 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+1 sport=135 flags=SA seq=38 win=64240 rtt=244.1 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+1 sport=135 flags=SA seq=39 win=64240 rtt=156.0 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+2 sport=135 flags=SA seq=40 win=64240 rtt=187.7 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+2 sport=135 flags=SA seq=41 win=64240 rtt=211.6 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+2 sport=135 flags=SA seq=42 win=64240 rtt=239.5 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+4 sport=135 flags=SA seq=43 win=64240 rtt=159.3 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+3 sport=135 flags=SA seq=44 win=64240 rtt=179.2 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+2 sport=135 flags=SA seq=47 win=64240 rtt=258.7 ms
len=44 ip=10.50.97.10 ttl=127 DF id=5540 sport=135 flags=SA seq=45 win=64240 rtt=3018.9 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+4 sport=135 flags=SA seq=48 win=64240 rtt=278.4 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+4 sport=135 flags=SA seq=49 win=64240 rtt=198.2 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+4 sport=135 flags=SA seq=50 win=64240 rtt=322.0 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+4 sport=135 flags=SA seq=51 win=64240 rtt=249.7 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+4 sport=135 flags=SA seq=52 win=64240 rtt=153.6 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+3 sport=135 flags=SA seq=53 win=64240 rtt=165.5 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+5 sport=135 flags=SA seq=54 win=64240 rtt=161.3 ms
len=44 ip=10.50.97.10 ttl=127 DF id=+3 sport=135 flags=SA seq=55 win=64240 rtt=241.1 ms
Original reply by bonnefoy.simon
Hi, I’ve checked the lab and nmap seems to be a bit weird for me so I’d need to double check if something changed between versions. However, using the hping3 manual method works for me.
Scanning ports 135 and 445 from host 10.50.97.5 by sending 3 packets shows id=+2 6 times.
Original reply by Andres
Coming back to this topic, I figured out that when scanning port of 10.50.97.10 using as zombie 10.50.97.5, when the port is closed I receive id=+2 and when the port is open I receive id=+3. This is different scanning other hosts with that same zombie, the behavior is as expected. Not sure what is happening there.
Original reply by bonnefoy.simon