Which scan uses the IDLE/IPID Header Scan technique?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

Which scan uses the IDLE/IPID Header Scan technique?

Explanation:
Idle/IPID header scanning rests on a side channel in IPv4: the IP identification (IPID) field. The attacker uses a zombie host with a predictable IPID sequence and sends spoofed probes to the target, making the zombie generate traffic in a way that reveals how the target answered. By watching how the zombie’s IPID increments between probe cycles, the attacker can infer whether the target port would have responded as open or closed, even though the probes to the target came from the zombie’s address. This clever use of the IPID field allows a stealthy assessment of port state without direct probes from the attacker. When this technique is used with SCTP, the scan leverages SCTP’s handshake traffic (for example, INIT exchanges) in a way that can be observed through the zombie’s IPID behavior, enabling mapping of SCTP ports behind filters that might block normal probes. That makes SCTP the scenario where this specific IDLE/IPID header scan approach is applied. The other options describe different scanning approaches: an Xmas-style TCP scan uses unusual flag combinations to provoke responses; an INIT scan relates to SCTP’s INIT handshake in a more straightforward probe; and the IDLE/IPID header scan is the method that explicitly uses the IPID-side channel, which is why it’s tied to SCTP in this context.

Idle/IPID header scanning rests on a side channel in IPv4: the IP identification (IPID) field. The attacker uses a zombie host with a predictable IPID sequence and sends spoofed probes to the target, making the zombie generate traffic in a way that reveals how the target answered. By watching how the zombie’s IPID increments between probe cycles, the attacker can infer whether the target port would have responded as open or closed, even though the probes to the target came from the zombie’s address. This clever use of the IPID field allows a stealthy assessment of port state without direct probes from the attacker.

When this technique is used with SCTP, the scan leverages SCTP’s handshake traffic (for example, INIT exchanges) in a way that can be observed through the zombie’s IPID behavior, enabling mapping of SCTP ports behind filters that might block normal probes. That makes SCTP the scenario where this specific IDLE/IPID header scan approach is applied.

The other options describe different scanning approaches: an Xmas-style TCP scan uses unusual flag combinations to provoke responses; an INIT scan relates to SCTP’s INIT handshake in a more straightforward probe; and the IDLE/IPID header scan is the method that explicitly uses the IPID-side channel, which is why it’s tied to SCTP in this context.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy