How it works...

The ACK scan sends an acknowledgment packet instead of a SYN packet. The firewall does not create logs of ACK packets as it will treat ACK packets as the response of the SYN packets. It is mostly used to map the type of firewall being used.

The scan results of filtered and unfiltered ports depend on whether the firewall being used is stateful or stateless. A stateful firewall checks whether an incoming ACK packet is part of an existing connection or not. It blocks it if the packets are not part of any requested connection, and so the port will show up as filtered during the scan, whereas in the case of a stateless firewall, it will not block the ACK packets and the ports will show up as unfiltered.

 An idle scan works on the basis of a predictable IPID or IP Fragmentation ID of the zombie host. First, the IPID of the zombie host is checked and then a connection request is spoofed from that host to the target host. If the port is open, an acknowledgment is sent back to the zombie host, which resets (RST) the connection so that it has no history of opening such a connection.

Next, the attacker checks the IPID on the zombie host again. If it has changed by one step, it implies that a RST was received from the target. However, if the IPID has changed by two steps, it means that the packet was received by the zombie host from the target host, and there was an RST on the zombie host, which implies that the port is open.