Idle scan or Zombie scanning as it is referred to sometimes, is the newest and stealthiest TCP scanning technique supported by the famous Nmap. What makes it quite interesting, is that an attacker can use it to scan a target and blame it on an innocent Zombie machine.
Before explaining how it can be done, let me start with a brief explanation of the Three-Way Handshake used to start TCP connections between any two computers.

TCP Three-Way Handshake

Figure 1 illustrates how it works. Computer A sends a SYN asking computer B to establish a connection on port 80, if the port is open, then B acknowledges the SYN and send SYN in return as well. Third and final step is when A acknowledges that it also received the SYN from B.

If port 80 is closed, B will respond with RST.

Before proceeding to the following illustration, refresh your mind with the following list of TCP Communication Flags:

• Synchronize (SYN): Initiates connection between hosts.
• Acknowledgment (ACK): Establish connection between hosts.
• Push (PSH): System accepting requests and forwarding buffered data.
• Urgent (URG): Instructs data contained in packets to be processed ASAP.
• Finish (FIN): Communicates to the remote system of no more retransmissions.
• Reset (RST): Reset a connection.

TCP Three-Way Handshake

Port scanning is used to check which ports are open by sending and receiving packets directly between two computers. In SYN Stealth (Also known as Half Open Scan) for example Computer A sends SYN to B, If the port is Computer B is open, the reply will be: SYN+ACK based on the Three-Way Handshake rules. Otherwise, if B respond with a RST, then the port is closed or not listening.
SYN Stealth and other types of scaning expose the scanners IP to the targeted computer. To overcome that, Idle scan is used.

How Idle Scan works

Every IP packet on the internet has a fragment identification numer (IP ID), which is usually incremented by one by the operating system for every packet transmission. Hence, if we record the IP ID of a computer, we can compute the number of packets it sent after certain time.

Now, assume that Computer A wants to scan Computer B, while Computer C is being used as a Zombie.

• A will first ask to communicate with C, from C’s response, A knows that C’s IP ID is: 1445.
• A sends SYN to one of B’s ports asking for a connection using C’s IP address.
• B respond to the relevant IP address, that is C with a SYN+ACK if the port is open, else if the port is closed, then it will send back a RST or nothing at all.
• A ask to communicate with C one more time to read its IP ID again.
• If the IP ID is 1447 (increased by two since the last transmission) then the port is open assuming that B responded with a SYN/ACK back to C, hence C had to reply with a RST packet using IP ID = 1446.
• Else If the IP ID is 1446, (increased by one since the last transmission) then the port is close, assuming that B simply responded with a RST or nothing at all, hence C did not have to communicate back.

You must have noticed that, to collect reliable data, it is important that computer C does not communicate with any other devices while running the scan, otherwise, its IP ID will increase dramatically anyway. This is why, the zombie device should be chosen carefully to be Idle, hence the name of the scan.

Also, as you must have noticed, the scan was performed by sending packets with spoofed IP to the target computer. Hence the spoofed IP is blamed for the scan, not yours!

In practice, the following Nmap command is an example of how to perform Idle scans:

nmap -PN -p20-25 -sI 192.168.1.152 192.168.0.131

-sI: is used to run Idle Scan.
-PN: is necessary for stealth, otherwise packets would be sent to the target from your real addres.
-p20-25: scan ports 20, 21, 23, 24 and 25.
192.168.1.152: Zombie IP.
192.168.0.131: Target IP.

At the end, here is a reminder that you should not scan any computer/network without permission. There are many known cases where using Nmap unethically caused serious legal issues.