Exam 312-49v10 topic 1 question 140 discussion

If an attacker's computer sends an IPID of 31400 to a zombie computer on an open port in idle scanning, the response from the zombie will have an IPID of 31402 if the port on the target is open. Scenario Breakdown Initial State: The attacker knows the zombie's current IPID value (31400 in this case), sends a spoofed SYN packet to the target, pretending it came from the zombie's IP address. Case: Target Port is Open The target receives the spoofed SYN packet (with the zombie's IP as the source), responds with a SYN/ACK to the zombie. The zombie, which did not actually initiate connection, responds with a RST (Reset) to the target because it does not recognize the connection. This causes the zombie's IPID to increment by 2: One increment for responding to the attacker’s initial probe. Another increment for sending the RST packet to the target. So, if the initial IPID was 31400, the new IPID becomes 31402.

B > Open ports increments by 2

Open port increments by 2 No open port increments by 1 The answer depends whether the port is open or not.

If the attacker's computer sends an IPID of 31400 to the zombie computer on an open port during IDLE scanning, the response from the zombie would typically not result in any change in the IPID value on the zombie. This is because the open port scenario doesn't generate an RST response, so the IPID remains the same on the zombie computer. The attacker can then use this information to deduce that the target port is open based on the lack of a change in the IPID value. --> The zombie will not send a response

The response is A IPID=31402 But the question is very very very badly worded! In a Idle scan, the attacker's send a SYN/ACK to a Zombie (but we don't care about the attacker IPID) and the Zombie reply to the attacker with its own IPID which is interresting! The Idle scan has 3 steps: 1) Attacker sends a SYN/ACK to the Zombie. The Zombie responds to attacker with a RST and IPID=31400. 2) Attacker forges a SYN packet to the victim spoofing the IP of the Zombie machine. The victime responds to the Zombie with SYN/ACK. The Zombie responds to the victim with a RST and IPID+1=31401. 3) Same as 1) Attacker sends a new SYN/ACK to the Zombie. The Zombie responds to the attacker with a RST with IPID+1=31402. So if the Zombie IPID is increased by 2 the attacker can conclude that the victimes port is open. The response is IPID=31402 I think the question is more for CEH than for CHFI

Answer is A, 31402.

Every IP packet on the Internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe. An increase of one indicates that the zombie hasn't sent out any packets, except for its reply to the attacker's probe. This lack of sent packets means that the port is not open (the target must have sent the zombie either a RST packet, which was ignored, or nothing at all). An increase of two indicates that the zombie sent out a packet between the two probes. This extra packet usually means that the port is open (the target presumably sent the zombie a SYN/ACK packet in response to the forged SYN, which induced a RST packet from the zombie).