Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: nmap and predictable ISN's or SN's

From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Tue, 6 Nov 2001 10:56:07 -0000
Better yet. ISNprober by Tom Vandepoel.

# isnprober -c www:80 www2:443
-- ISNprober / 1.01 / Tom Vandepoel (Tom.Vandepoel () ubizen com) --

Using eth0:z.z.z.z

Probing host: www on TCP port 80.
Probing host: www2 on TCP port 443.

Host:port      ISN         Delta
www3:80         1832271647
www2:443        1833423850     1152203
www:80          1833668032     244182
www2:443        1834155463     487431
www:80          1834484097     328634
www2:443        1835762782     1278685

www:80   [+] <> www2:443  [+] == [+]

Cheers

Fernando

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/


-----Original Message-----
From: Denis Ducamp [mailto:Denis.Ducamp () hsc fr]
Sent: terça-feira, 6 de Novembro de 2001 10:45
To: nmap-dev () insecure org
Subject: Re: nmap and predictable ISN's or SN's


On Tue, Nov 06, 2001 at 11:23:43AM +0100, Ralf Hildebrandt wrote:

Hi!


Hi,


Today I was looking at
http://razor.bindview.com/publish/papers/tcpseq.html


a great paper :)


and asked myself if nmap could be used to gather this data

during a scan.

the -Q option from hping http://www.hping.org/ is certainly what
you need :

# ./hping2 -S -p 80 -c 10 -Q www
HPING www (eth0 192.168.1.25): S set, 40 headers + 0 data bytes
1048123854 +1048123854
1983594997 +935471143
1361981332 +3673353630
 433528998 +3366514961
 727732780 +294203782
 959329434 +231596654
1885473328 +926143894
 235633102 +2645127069
 965566788 +729933686
1781858662 +816291874

--- www hping statistic ---
10 packets tramitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 81.9/107.2/140.3 ms

From the HPING2(8) page :

       -Q --seqnum
              This  option  can  be  used  in  order  to  collect
              sequence numbers generated by target host. This can
              be  useful  when  you  need  to analyze whether TCP
              sequence number is predictable. Output example:
[...]
              The first column reports the sequence  number,  the
              second difference between current and last sequence
              number. As you can see target host's sequence  num­
              bers are predictable.


To analyse it using gnuplot is fairly easy then.


Denis Ducamp.

--
 Denis.Ducamp () hsc fr --- Hervé Schauer Consultants --- http://www.hsc.fr/
 Owl/Openwall/snort/hping/dsniff en français   http://www.groar.org/trad/
            Owl en français    http://www.openwall.com/Owl/fr/
 Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).






_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: