#!/bin/bash
#
# Copyright (C) 2008 vladz <vladz@devzero.fr>
#
# idlescan.sh -- Idle TCP port scanner in Bash

: ${3?"`printf "\r"`usage: $0 <spoofed_host> <target> \
\"<ports_separed_with_space>\""}

printf "Ports status on ${2}:\n"

function getIpid {
   set -- `hping2 -S -A ${1} -c 1  2>/dev/null | grep id=`
   return ${4#*=}
}

for port in ${3}
do
   while [ 1 ]; do
      getIpid ${1} ; a=$?
      hping2 -S -a ${1} ${2} -p ${port} -c 1 &>/dev/null
      getIpid ${1} ; b=$?
      case $((b-a)) in
         1) printf "\t${port} closed\n"; break;;
         2) printf "\t${port} open\n"; break;;
         *) continue;;
      esac
   done
done