Exam 312-49 topic 1 question 140 discussion

It should be B. Open port should be IPID +2 and close port should be IPID +1.

This is an unclear trick question. What will be respond? There are two responds. The zombie to the attacker and the zombie to the target. According to https://nmap.org/book/idlescan.html for the open port, if we are mentioning about the respond from zombie to the target machine at step 2: the Zombie will send the RST and increase the IPID by 1 (IPID = 31400+1 = 31401). So D is the correct answer. However If we are talking about the respond from the Zombie to the attacker's machine after receiving the SYN/ACK from attacker's machine at step 3, the Zombie will send the RST to attacker's machine and increase the IPID by 1 since step 2 (IPID = 31401 + 1 = 31402) so in this case B is the correct answer). The problem is the question was so vague.

https://www.icterra.com/what-is-idle-scan/

Should be B if you are IDLE testing an open port. But EC is gifting us with another delicatessen. Lets see... When you are performing an IDLE Scan, you send a SYNACK to the zombie. That packet contains your IPID (31400). Zombie will answer you with RST, and its own IPID (randomly generated) So, it does not matter what IPID you send, cause zombie will answer its own IPID... If is sending a RST... But... What if you are sending another packet to the zombie? Please, note that questing says something about an IDLE scan, but does not say anything about the kind of packet you sent to the zombie. Why not, an HTTP SYN request? Lets suppose this last case... That case, you will send a SYN, IPID 31400, and zombie will answer SYNACK, 31401 and send its own IPID sequence, randomly generated. So, thats why the answer is, IPID+1. Ta-daaaaaaa!!! :D My best guess about, lol

B https://nmap.org/book/idlescan.html