Wednesday, 29 May 2013
Nmap & Metasploit - Finding a Zombie
Many may not realize this but NMAP has the ability to turn a machine into a zombie (well not literally) and use it to perform scanning on other machines. This is another way to use the power of trust of another computer, 'take over' and scan it on the other. Besides, this is way more challenging than using the -D (decoy) switch.
Well, first its not easy to find a potential zombie using NMAP (if anyone has any idea, do share) so we are going to use Metasploit to find potential zombie machines.
Open your terminal and type in
Once loaded, type
msf > use auxiliary/scanner/ip/ipidseq
If you wanna see the available options, enter below;
msf auxiliary(ipidseq) > show options
Then lets put in the IP range for them to scan and find potential zombies
msf auxiliary(ipidseq) > set RHOSTS 192,168.71.150-192.168.71.153
msf auxiliary(ipidseq) > set THREADS 50
msf auxiliary(ipidseq) > run
Once ran, the result will be shown and if you see an IP with the remark as 'Incremental!' it means you have a potential zombie!!!!!
So once a potential zombie is found, rifle up the nmap and run the scan
#nmap -PN -sI <zombie IP> <victim IP>
Basically, what this scan does is to scan another machine using the zombie machine that somehow acts like a proxy.
In what situation can we apply this?
Let's say you are in the same network but you can perform a scan to a server but the other person beside you can because he is 'trusted' or given special privileges. So the only way is to connect to his machine and use it to scan the server instead. From the server network side, they will see it as a valid traffic NOT from the 'attacker' but from the trusted Zombie itself. :)