Idle Scanning allows blind port scanning. We can scan a target without sending any packets to this target, from our own IP address, while spoofing the IP address of another host on the network. Idle scanning allows us to be stealthy and let us discover IP based trust relationships between machines.
To achieve this type of scan we will need to locate a host that is idle on the network. Metasploit contains the module scanner/ip/ipidseq to scan for an idle host on the network. Let’s run scanner/ip/ipidseq module to discover an idle host on the net. Type:
set RHOSTS 192.168.238.0/24
set THREADS 50
To scan host 192.168.1.100 for example using zombie pc at 192.168.1.200, we use
nmap -PN -sI 192.168.238.200 192.168.238.100