Exam 312-49v10 topic 1 question 140 discussion

B > Open ports increments by 2

Open port increments by 2 No open port increments by 1 The answer depends whether the port is open or not.

If the attacker's computer sends an IPID of 31400 to the zombie computer on an open port during IDLE scanning, the response from the zombie would typically not result in any change in the IPID value on the zombie. This is because the open port scenario doesn't generate an RST response, so the IPID remains the same on the zombie computer. The attacker can then use this information to deduce that the target port is open based on the lack of a change in the IPID value. --> The zombie will not send a response

The response is A IPID=31402 But the question is very very very badly worded! In a Idle scan, the attacker's send a SYN/ACK to a Zombie (but we don't care about the attacker IPID) and the Zombie reply to the attacker with its own IPID which is interresting! The Idle scan has 3 steps: 1) Attacker sends a SYN/ACK to the Zombie. The Zombie responds to attacker with a RST and IPID=31400. 2) Attacker forges a SYN packet to the victim spoofing the IP of the Zombie machine. The victime responds to the Zombie with SYN/ACK. The Zombie responds to the victim with a RST and IPID+1=31401. 3) Same as 1) Attacker sends a new SYN/ACK to the Zombie. The Zombie responds to the attacker with a RST with IPID+1=31402. So if the Zombie IPID is increased by 2 the attacker can conclude that the victimes port is open. The response is IPID=31402 I think the question is more for CEH than for CHFI

Answer is A, 31402.

Every IP packet on the Internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe. An increase of one indicates that the zombie hasn't sent out any packets, except for its reply to the attacker's probe. This lack of sent packets means that the port is not open (the target must have sent the zombie either a RST packet, which was ignored, or nothing at all). An increase of two indicates that the zombie sent out a packet between the two probes. This extra packet usually means that the port is open (the target presumably sent the zombie a SYN/ACK packet in response to the forged SYN, which induced a RST packet from the zombie).