Nmap Development mailing list archives
Re: Nmap Uptime Guessing
From: Gisle Vanem <giva () bgnett no>
Date: Tue, 03 Apr 2007 01:41:49 +0200
"J. Perrymon" <josh () packetfocus com> wrote:
How does Nmap determine uptime? From what I read this is returned from the TCP stack and not ICMP? Or is it both..
From the tcp-option TCP_TIMESTAMP in rfc-1323.
Specifically the 1st value in this option is 'ts_now', the 2nd is 'ts_echo'. But mind you, the 'ts_now' cannot be trusted to really be related to uptime. It's just a increasing milli-sec counter. What the starting value is, is highly variable. But the man himself said this a long time ago: <quote> Nmap does several probes over a few seconds to determine how fast the counter is incrementing. Then it can extrapolate back to when the counter was zero (generally boot time). Nmap also used the timestamp frequency it determines as part of OS fingerprinting. </quote>
How could you protect devices(Win, *nix) in a DMZ from this?
I'm not sure you can w/o a tcp-option rewrite proxy (if one such exists). --gv _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap Uptime Guessing J. Perrymon (Apr 02)
- Re: Nmap Uptime Guessing Open Phugu (Apr 02)
- Re: Nmap Uptime Guessing Gisle Vanem (Apr 02)
- Re: Nmap Uptime Guessing Hans Nilsson (Apr 03)
- Re: Nmap Uptime Guessing Gisle Vanem (Apr 03)
- Re: Nmap Uptime Guessing Hans Nilsson (Apr 03)