Exam 312-50v13 topic 1 question 195 discussion

The Certified Ethical Hacker (CEH) can conclude that the target network is likely using a stateful firewall. An IDLE scan, where the IPID number increases by 2, suggests that a stateful firewall is intercepting and inspecting network traffic, causing the IPID increment. This is because the firewall, as a stateful device, tracks the flow of network packets and increments the IPID accordingly

An IDLE/IPID header scan is a stealthy port scanning technique that exploits predictable IP identification (IPID) values from a zombie host to infer open ports on a target system without directly interacting with the target. How an IDLE Scan Works: The attacker finds a zombie host (a machine with predictable IPID values). The attacker sends a SYN packet to the target spoofed as coming from the zombie. The target responds: If the port is open, the target replies to the zombie with a SYN/ACK. Since the zombie was unaware of the connection, it sends an RST response, increasing its IPID value by 2. If the port is closed, the target replies with an RST, which does not cause the zombie's IPID value to increment by 2. Since the IPID increased by 2, this means the target responded with a SYN/ACK, causing the zombie to send an RST—indicating that the port is open.

an IPID increase of two indicates that a zombie host sent a packet between two probes. This usually means that the port is open.

The IDLE scan in Nmap reveals that the IPID number increases by 2, which indicates that the target network is likely protected by a stateful firewall. This type of firewall tracks connection states and influences how the IPID field is modified, providing clues about the network's configuration.

IPID+2 mean target port is opened