In penetration testing, scanning for open ports and vulnerabilities is crucial for exploiting weaknesses. However, a direct approach isn’t always feasible, especially in covert operations. This is where Zombie scans are useful. By identifying a network computer with incremental IP IDs and spoofing it, we can conduct an nmap scan using the Zombie’s IP, maintaining stealth. Utilizing Metasploit simplifies this process.

To demonstrate this scan, I’m using VirtualBox, a virtual machine platform where I’ve created a network of isolated, vulnerable systems. Think of VirtualBox as a computer within your computer, allowing you to install operating systems without needing multiple physical machines. For those unfamiliar with setting up a “hacking lab”, check out my tutorial here: https://mad-twash.com/lets-create-a-hacking-lab/ . For a more detailed tutorial, I recommend this free resource: Network Chuck’s tutorial. It’s a concise video on building a home lab. Be wary of unnecessary purchases, though, like VPN services, which are often not needed. Ol’ Chuck will try to sell you the shirt off your own back!

I’ll be using Kali Linux for this demonstration, as it comes with Metasploit preinstalled. The first step is to find a suitable zombie for spoofing. As mentioned, it should use incremental IP IDs and be idle, which is likely why it’s termed a ‘zombie’. To open a terminal, press Ctrl + Alt + T.

Once you have your terminal open type msfconsole. This will start Metasploit!

We navigate to the scanner we want by typing use auxiliary/scanner/ip/ipidseq into the console and hit enter.

The part in red tells us that the scanner exists and is ready to take commands! Use the show command to see all the options this “MODULE” has available. Type show options and hit enter.

The screenshot above illustrates that this scanner in Metasploit requires specific settings, which are easy to configure. This simplicity is one of the reasons why Metasploit is a vital tool for hackers of all skill levels and ethical backgrounds.

The critical step involves setting the RHOSTS variable to the IP address of the target network. This is key for a covert scan to identify any idle systems using incremental IP IDs. To find your local IP address, type ‘ifconfig‘ into the console. As shown in the provided image, my local IP address is 10.0.2.15.

Notice that my netmask is 255.255.255.0. This indicates that the first three groups of numbers (octets) in my IP address represent the network segment. Therefore, my network ID is 10.0.2. Understanding this is crucial for scanning computers on the same network. Machines locally connected to ours will have IP addresses beginning with 10.0.2. Your IP might differ, perhaps starting with 192.168.1, but the exact number isn’t as critical as knowing the Network ID. We aim to scan all IPs on our network, ranging from 10.0.2.0 to 10.0.2.254. Fortunately, we don’t need to specify the entire range of Network IDs, as Metasploit’s scanner intelligently figures it out. Enter ‘set RHOSTS 10.0.2.0/24‘ in the console. If your IP were 192.168.1, you’d use ‘set RHOSTS 192.168.1.0/24‘, and so on.

We could continue to use the set command and set the rest of the options but here its just not necessary. Lets just get on with it and run this jewel. Type run into the console and hit enter.

If you see the above error message you will have to exit out of the console and run msfconsole with root privlages. For example type sudo msfconsole

After restarting msfconsole and running it with root privileges you will have to run the above commands again. Once that is done, you are ready once again to run the scan. You should get output similar to the screenshot below.

The output shows that both 10.0.2.1 and 10.0.2.2 have incremental IP IDs, making them suitable for our purposes. We could use either as our Zombie machine. However, 10.0.2.5 is actually Metasploitable2, our target machine, so we’re limited to using the first two IPs as Zombies. Remember, if your command doesn’t complete, you can press Ctrl+C to terminate it.

All that is left now, is to use nmap to control our Zombie and ” command ” it to scan our target.

Type nmap -PN -sI <zombie_machine_ip> <target_ip>

-PN Tells nmap not to use ping. Shhh we want to be quiet remember?

-sI Tells nmap that we want to use a zombie to do the scan for us.

Success! as you can see we got our zombie to do our dirty work! Great job!