Nmap Development mailing list archives
[PATCH] Uptime scanning using RFC1323 TCP timestamps
From: "Troels Walsted Hansen" <troels () thule no>
Date: Sat, 3 Feb 2001 15:02:53 +0100
Hello world, I was looking at http://uptime.netcraft.com and got curious how they did it. This patch is the result. I implemented it as part of the OS scanning, although technically it could be probed with just a single SYN packet. Unfortunately the timestamp alone is useless, you need to know the OS to calculate the timestamp. The code contains the increment value for Windows 2000/Me, but unfortunately that's a bit of a sham. Windows sends 0 timestamps (and timestamp echoes) in the SYN|ACK. You have to ACK that and wait for an ordinary datapacket before you get the real timestamp. Not very suited for nmap type scanning (but it works for netcraft of course, since they use full TCP connections). Enjoy, and feel free to tweak.. The FreeBSD4 check is bogus, hopefully somebody will improve the fingerprint file to allow better checks. Here's an example of the patch in action. [root@ninja nmap-2.54BETA19-uptime]# ./nmap -O --osscan_guess -p80,81 www.insecure.org Starting nmap V. 2.54BETA19 ( www.insecure.org/nmap/ ) Warning: OS detection will be MUCH less reliable because we did not find at least 1 op en and 1 closed TCP port Interesting ports on amy.lnxnet.net (208.184.74.98): Port State Service 80/tcp open http 81/tcp filtered hosts2-ns TCP Sequence Prediction: Class=random positive increments Difficulty=3652269 (Good luck!) Remote operating system guess: Linux kernel 2.2.13 Assuming a standard Linux-class OS, the TCP timestamp 470961291 indicates a system uptime of 54 days, 12 hours, 13 minutes, 32 seconds. Nmap run completed -- 1 IP address (1 host up) scanned in 23 seconds -- Troels Walsted Hansen
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- [PATCH] Uptime scanning using RFC1323 TCP timestamps Troels Walsted Hansen (Feb 03)
- RE: [PATCH] Uptime scanning using RFC1323 TCP timestamps Troels Walsted Hansen (Feb 03)
- Re: [PATCH] Uptime scanning using RFC1323 TCP timestamps Fyodor (Mar 05)