Nmap IDL IPID(IP Identification) Scan.

If you’re diving into cybersecurity and curious about stealthy scanning techniques, you’re in for a good one. In this post, we’re going to walk through the Nmap Idle Scan — what it is, how it works.

We’ll keep things simple, clear, and useful. Whether you’re learning for a class, a certification, or just out of interest, you’ll walk away understanding not just how, but why it works.

By the end of this blog, you’ll be able to know:

• • • Understand what is a NMAP Idle Scan is and why it’s used ?
    • What’s IPID and Why Do We Care ?
    • How Does IPID Work in Idle Scans ?
    • Follow the full scan process, step-by-step.
    • FAQ’s

Idle scanning is a stealthy port scanning technique where the attacker does not directly communicate with the target.

Instead, a third machine, called a zombie, is used to send packets to the target. The attacker observes the IPID (IP Identification) values in the zombie’s responses to deduce whether a port on the target is open or closed.

Incase if you are wondering why is it called “Idle”?

Because it uses a host that is “idle” or not actively generating traffic — making its IPID values predictable.

The IPID (IP Identification field) is like a counter inside network packets that helps keep track of them.

Some systems increase their IPID by one every time they send a packet. That’s great for us. Why?

Because if we watch how the zombie’s IPID changes after we do something, we can figure out if it responded to the target, even though we’re never talking to the target directly.

How Does IPID Work in Idle Scans?

• Each time a system sends an IP packet, it assigns it an IP Identification (IPID) value. If a system increments IPIDs sequentially, it can be used for idle scans.

Now Let’s See how it will work:

Step 1: Attacker Sends a SYN/ACK packet to the zombie and observes the current IPID

The attacker sends a SYN/ACK packet to the zombie, not only to capture its current IPID value but also to verify the following:

• Whether the zombie’s firewall (if present) is blocking unexpected or unsolicited packets.
• That the zombie is truly idle and not engaged in other network communications that might interfere with the scan.
• That the zombie responds consistently with a Reset (RST) packet, which includes the current IPID value needed for the analysis.
• For Example: Lets consider IPID value as 100.

Step 2: The Attacker Sends a Spoofed SYN Packet to the Target

• In this step, the attacker sends a SYN packet to the target, but fakes the source IP address to make it look like it came from the zombie (instead of the attacker).
• This trick makes the target think that the zombie is trying to start a connection, not the attacker. As a result, the target will send its response (either SYN/ACK or RST) to the zombie, not the attacker.
• This is a clever way for the attacker to stay hidden, while still observing how the target reacts — indirectly — through the zombie.

 Above Image represents the steps involved in NMAP IDLE SCAN if the Target has open ports. And IPID value will get incremented when receiving a request from Target and responding to the Target.

 Above Image represents the steps involved in NMAP IDLE SCAN if the Target has closed ports. And IPID value will get incremented when receiving a request from Target and responding to the Target.

Step 3: Attacker Sends Another SYN/ACK to the Zombie to Check IPID Again

After sending a spoofed SYN packet to the target (pretending to be from the zombie), the attacker now sends a second SYN/ACK to the zombie to check if its IPID has changed. 

This helps the attacker figure out if the target responded to the zombie: 

• • • If the IPID increased by 2
      • • It means the zombie sent one RST back to the attacker and one unsolicited RST to the target’s SYN/ACK reply.
        • So, the target must have replied to the spoofed packet, which happens only if the port is open.
    • If the IPID increased by 1 or didn’t change
      • • It means the zombie only sent a single RST to the attacker (no response from the target).
        • This tells the attacker that the target port is closed — it didn’t respond to the spoofed packet.