Nmap Development mailing list archives
Re: [PATCH] Uptime scanning using RFC1323 TCP timestamps
From: Fyodor <fyodor () insecure org>
Date: Mon, 5 Mar 2001 19:25:55 -0800 (PST)
On Sat, 3 Feb 2001, Troels Walsted Hansen wrote:
I was looking at http://uptime.netcraft.com and got curious how they did it. This patch is the result.
Cool! Sorry it took me so long to reply. I was in Europe speaking at OSDEM (+ vacation) when you wrote this. As luck would have it, I added this feature (among others) on a train from Paris to Zurich before I even saw your mail :(.
Unfortunately the timestamp alone is useless, you need to know the OS to calculate the timestamp.
Not necessarily -- you can send two probes (with a slight delay in between) and take the sequence number delta divided by the delay to approximate the HZ of the timestamp clock. Of course, in the real implementation you would send more probes to make your HZ estimate more accurate. And when you come up with something like 100.7931, you know it is really 100 and you can use that to calculate uptime. Along with TCP timestamp sequencing, I also added IP ID sequencing. Most machines simply increment by one, and this can be useful for "idle scanning" (see hping2 docs) and also for traffic analysis. Of course, both of these can be used for OS detection. In a few minutes I'll post a URL for the version of Nmap which implements this. Here is an example usage (note that you now have to use -v to get the TCP ISN predictability report and the same is true with the new IP.ID report): amy~#nmap -sS -O -v db Starting nmap V. 2.54BETA20 ( www.insecure.org/nmap/ ) Host db.yuma.net (192.168.0.4) appears to be up ... good. Initiating SYN Stealth Scan against db.yuma.net (192.168.0.4) Adding TCP port 111 (state open). Adding TCP port 5432 (state open). Adding TCP port 22 (state open). The SYN Stealth Scan took 1 second to scan 1542 ports. For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled Interesting ports on db.yuma.net (192.168.0.4): (The 1539 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 111/tcp open sunrpc 5432/tcp open postgres Remote operating system guess: Linux 2.1.122 - 2.2.16 Uptime 175.903 days (since Sun Sep 10 22:36:13 2000) TCP Sequence Prediction: Class=random positive increments Difficulty=1700818 (Good luck!) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds amy~# Cheers, -F PS: As Troels mentioned, this doesn't work against Win* unless we make a full connection :(. I don't think it is worth connecting (and compromising stealth) just for that. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- [PATCH] Uptime scanning using RFC1323 TCP timestamps Troels Walsted Hansen (Feb 03)
- RE: [PATCH] Uptime scanning using RFC1323 TCP timestamps Troels Walsted Hansen (Feb 03)
- Re: [PATCH] Uptime scanning using RFC1323 TCP timestamps Fyodor (Mar 05)