Nmap Development mailing list archives

Re: [PATCH] Uptime scanning using RFC1323 TCP timestamps

From: Fyodor <fyodor () insecure org>
Date: Mon, 5 Mar 2001 19:25:55 -0800 (PST)

On Sat, 3 Feb 2001, Troels Walsted Hansen wrote:

I was looking at http://uptime.netcraft.com and got curious how they did it.
This patch is the result.


Cool!  Sorry it took me so long to reply.  I was in Europe speaking at
OSDEM (+ vacation) when you wrote this.  As luck would have it, I added
this feature (among others) on a train from Paris to Zurich before I even
saw your mail :(.

Unfortunately the timestamp alone
is useless, you need to know the OS to calculate the timestamp.


Not necessarily -- you can send two probes (with a slight delay in
between) and take the sequence number delta divided by the delay to
approximate the HZ of the timestamp clock.  Of course, in the real
implementation you would send more probes to make your HZ estimate more
accurate.  And when you come up with something like 100.7931, you know it
is really 100 and you can use that to calculate uptime.

Along with TCP timestamp sequencing, I also added IP ID sequencing.  Most
machines simply increment by one, and this can be useful for "idle
scanning" (see hping2 docs) and also for traffic analysis.

Of course, both of these can be used for OS detection.  In a few minutes
I'll post a URL for the version of Nmap which implements this.

Here is an example usage (note that you now have to use -v to get the TCP
ISN predictability report and the same is true with the new IP.ID
report):

amy~#nmap -sS -O -v db

Starting nmap V. 2.54BETA20 ( www.insecure.org/nmap/ )
Host db.yuma.net (192.168.0.4) appears to be up ... good.
Initiating SYN Stealth Scan against db.yuma.net (192.168.0.4)
Adding TCP port 111 (state open).
Adding TCP port 5432 (state open).
Adding TCP port 22 (state open).
The SYN Stealth Scan took 1 second to scan 1542 ports.
For OSScan assuming that port 22 is open and port 1 is closed and neither
are firewalled
Interesting ports on db.yuma.net (192.168.0.4):
(The 1539 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
5432/tcp   open        postgres                

Remote operating system guess: Linux 2.1.122 - 2.2.16
Uptime 175.903 days (since Sun Sep 10 22:36:13 2000)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=1700818 (Good luck!)
IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
amy~#

Cheers,
-F

PS: As Troels mentioned, this doesn't work against Win* unless we make a
full connection :(.  I don't think it is worth connecting (and
compromising stealth) just for that.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

[PATCH] Uptime scanning using RFC1323 TCP timestamps Troels Walsted Hansen (Feb 03)
- RE: [PATCH] Uptime scanning using RFC1323 TCP timestamps Troels Walsted Hansen (Feb 03)
- Re: [PATCH] Uptime scanning using RFC1323 TCP timestamps Fyodor (Mar 05)