[PATCH] Uptime scanning using RFC1323 TCP timestamps

["Troels Walsted Hansen" <troels () thule no>]

Hello world,

I was looking at http://uptime.netcraft.com and got curious how they did it.
This patch is the result.

I implemented it as part of the OS scanning, although technically it could
be probed with just a single SYN packet. Unfortunately the timestamp alone
is useless, you need to know the OS to calculate the timestamp.

The code contains the increment value for Windows 2000/Me, but unfortunately
that's a bit of a sham. Windows sends 0 timestamps (and timestamp echoes) in
the SYN|ACK. You have to ACK that and wait for an ordinary datapacket before
you get the real timestamp. Not very suited for nmap type scanning (but it
works for netcraft of course, since they use full TCP connections).

Enjoy, and feel free to tweak.. The FreeBSD4 check is bogus, hopefully
somebody will improve the fingerprint file to allow better checks.

Here's an example of the patch in action.

[root@ninja nmap-2.54BETA19-uptime]# ./nmap -O --osscan_guess -p80,81
www.insecure.org

Starting nmap V. 2.54BETA19 ( www.insecure.org/nmap/ )
Warning:  OS detection will be MUCH less reliable because we did not find at
least 1 op
en and 1 closed TCP port
Interesting ports on amy.lnxnet.net (208.184.74.98):
Port       State       Service
80/tcp     open        http
81/tcp     filtered    hosts2-ns

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=3652269 (Good luck!)
Remote operating system guess: Linux kernel 2.2.13

Assuming a standard Linux-class OS, the TCP timestamp 470961291 indicates a
system
uptime of 54 days, 12 hours, 13 minutes, 32 seconds.
Nmap run completed -- 1 IP address (1 host up) scanned in 23 seconds

--
Troels Walsted Hansen

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).