Re: nmap and predictable ISN's or SN's

[Ralf Hildebrandt <Ralf.Hildebrandt () charite de>]

On Tue, Nov 06, 2001 at 11:44:52AM +0100, Denis Ducamp wrote:

> the -Q option from hping http://www.hping.org/ is certainly what you need :
>
> # ./hping2 -S -p 80 -c 10 -Q www
> HPING www (eth0 192.168.1.25): S set, 40 headers + 0 data bytes
> 1048123854 +1048123854
> 1983594997 +935471143
> 1361981332 +3673353630
>  433528998 +3366514961
>  727732780 +294203782
>  959329434 +231596654
> 1885473328 +926143894
>  235633102 +2645127069
>  965566788 +729933686
> 1781858662 +816291874

I did that against my HP-UX 10.20 machine with a tuned IP-Stack (I altered
the sequence number generation), and I don't see the "predictability" the
paper describes.

I basically see a 3D cube, like in the FreeBSD and NetBSD Plots

I used this awk script to generate the x[n], y[n], z[n] tuples:

BEGIN {
   fenster = 3
}
   
{
   isn[FNR] = $1;
   delta[FNR] = $2;
   records = NR
}
            
END {
   for (i=1; i <= (records - fenster); i++) {
      print delta[i], delta[i+1], delta[i+2]
   }
}
                        
-- 
Ralf Hildebrandt                            Tel.  +49 (0)30-450 570-155
                                            Fax.  +49 (0)30-450 570-916
So unleash your nmap-from-hell and beware, you may tickle an obscure
bug in an ancient box hand-built by Seymour Cray himself, the only one
of its kind ever made, whose sole user pays the salaries of everyone
you ever met in the entire time you worked at the company, with money
he makes with an investment strategy hand-coded in assembler for this
special machine, by an analytic wizard who has since died. 


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).