Re: Nmap Uptime Guessing

[Gisle Vanem <giva () bgnett no>]

"J. Perrymon" <josh () packetfocus com> wrote:

> How does Nmap determine uptime? From what I read this is returned from
> the TCP stack and not ICMP? Or is it both..

> From the tcp-option TCP_TIMESTAMP in rfc-1323.
Specifically the 1st value in this option is 'ts_now', the 2nd is 'ts_echo'.
But mind you, the 'ts_now' cannot be trusted to really be related to
uptime. It's just a increasing milli-sec counter. What the starting value
is, is highly variable.

But the man himself said this a long time ago:

<quote>
  Nmap does several probes over a few seconds to determine how fast the
  counter is incrementing.  Then it can extrapolate back to when the
  counter was zero (generally boot time).  Nmap also used the timestamp
  frequency it determines as part of OS fingerprinting.
</quote>

> How could you protect devices(Win, *nix)  in a DMZ from this?

I'm not sure you can w/o a tcp-option rewrite proxy (if one such exists).

--gv

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org