Exam 312-50v12 topic 1 question 195 discussion

Ok, I saw the ceh v12 book: Consequently, the IPID is increased by 2, which implies that the port on the target machine was open." - page 317

While A and D have merits, there is no mention of the use of a Zombie system to perform the testing, one has to assume the IDLE/IPID is being sent direct (Trusted CEH). Therefore the result (Which excludes the IPID incrementation of the Zombie) is the response of a Stateful Firewall.

Stateful firewalls maintain information about the state of active connections, including the IPID sequence numbers. When Nmap sends probes to closed ports, the firewall generates ICMP error messages in response to those probes. These ICMP error messages trigger changes in the IPID sequence number, causing it to increase by 2 for each probe. This behavior is a result of the firewall's response mechanism, indicating the presence of a stateful firewall on the target network. Therefore, the correct conclusion the CEH can draw about the target network based on the observed behavior is that the target network has a stateful firewall present.

I would go with A as the documentation for Module 3, page 317 (not 217) says that. Also, reading the nmap documentation suggested A with some further insights in why it could be D

Module 3 Page 217 Send a SYN+ACK packet to the zombie, and it responds with an RST packet containing the IPID. Assuming that the port on the target was open and that the zombie has already sent an RST packet to the target, the IPID number is increased by 1. Now, the zombie responds with an RST packet to the attacker using its next IPID, i.e., 31339 (X + 2). Consequently, the IPID is increased by 2, which implies that the port on the target machine was open. Thus, using an idle scan, an attacker can identify the open ports and services on the target machine by spoofing their IP address with a zombie’s IP address.

The IDLE/IPID header scan is a technique used to identify the presence of a stateful firewall. In this scan, if the IPID number increases by 2 for each successive probe, it indicates that the system is using a stateful firewall.

An IPID increased by 2 will indicate an open port, whereas an IPID increased by 1 will indicate a closed port

D. The target network has a stateful firewall present In an IDLE/IPID header scan using Nmap, the scanning technique relies on the behavior of the IPID (IP Identification) field in IP headers. In a normal scan, the IPID field typically increments by 1 for each packet sent. However, in the presence of a stateful firewall that performs packet normalization, the IPID might increase by a different value. If the IPID number increases by 2 after performing the IDLE/IPID header scan, it suggests that the target network has a stateful firewall present. This behavior occurs because the firewall is manipulating the IPID field in a way that deviates from the normal incrementation observed in the absence of such a firewall.

A. The ports on the target network are open https://nmap.org/book/idlescan.html