In the context of idle scans, which statement best describes how it achieves stealth?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Prepare for the Nmap and ZenMap Tests. Access flashcards and multiple choice questions, with hints and explanations for each question. Ensure success in your exam!

Multiple Choice

In the context of idle scans, which statement best describes how it achieves stealth?

Explanation:
Idle scans achieve stealth by masking the true origin of the probes and using a side channel to learn the result. A zombie host with a predictable IPID sequence is used, and the scanner sends crafted packets to the target with the zombie’s IP as the source. The target’s replies, if any, go to the zombie, not to the scanner. By watching how the zombie’s IPID changes in response to those probes, the scanner can infer whether the target generated a response for a given port. If the IPID increments in a way that matches a response from the target, the port is considered open; if not, it’s closed. This keeps the attack mostly hidden because the traffic appears to come from the zombie rather than the scanning machine, leveraging the IPID correlation as the telltale signal. The other ideas—scanning many ports quickly, adding random delays, or claiming no privileges—do not capture this spoofed-source, IPID-based stealth mechanism.

Idle scans achieve stealth by masking the true origin of the probes and using a side channel to learn the result. A zombie host with a predictable IPID sequence is used, and the scanner sends crafted packets to the target with the zombie’s IP as the source. The target’s replies, if any, go to the zombie, not to the scanner. By watching how the zombie’s IPID changes in response to those probes, the scanner can infer whether the target generated a response for a given port. If the IPID increments in a way that matches a response from the target, the port is considered open; if not, it’s closed. This keeps the attack mostly hidden because the traffic appears to come from the zombie rather than the scanning machine, leveraging the IPID correlation as the telltale signal. The other ideas—scanning many ports quickly, adding random delays, or claiming no privileges—do not capture this spoofed-source, IPID-based stealth mechanism.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy