Nmap Development mailing list archives
Re: nmap questions - what is "tcpsequence index", "class" and how are they derived?
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 20 Feb 2008 21:57:59 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kathy, I didn't see an answer to this so here goes: In order to provide reliable, in-order delivery with performance scaling, etc, TCP needs to use use sequence numbers to keep track of of the data stream. It turns out that if the first of these sequence numbers is predictable all sorts of TCP attacks are opened up. See Michal Zalewski's excelent writeup on the subject http://lcamtuf.coredump.cx/newtcp/ As part of Nmap's OS fingerprinting, several sequence numbers are analyzed to see if there is a (obvious) pattern to how they are generated. Here is example XML output: <tcpsequence index="264" class="unknown class" difficulty="Good luck!" values="B70D64EC,D5FA08F,9C7B3F07,A24D55AB,A892F996,454D4CD4" /> The "index" attribute is an integer number that attempts to estimate the difficulty of predicting another sequence number. An index of 1 is really really easy (Trivial Joke) and as the number increases the difficulty increases. The "class" attribute is a measure of what algorithm is being used. If each sequence number were 1 greater than the last the class would be incremental. If it were 64,000 greater than the last it would be 64k rule, etc. The "difficulty" attribute is an English name for the index number. That is, There are a few classes, "Trivial Joke", "Worthy Challenge", and "Good Luck". There may be more but this is all from memory. Each of those names corresponds to some range of index numbers. For example, "Trivial Joke" might correspond to index >= 1 and <= 5. The "values" attribute is the raw initial TCP sequence numbers (in hex) of several TCP packets received from the target during the OS fingerprinting. It is these values that Nmap does all the math on to determine the rest of the attributes. The really nice thing about including the raw numbers is that if some detectable flaw is ever found in a OS's sequence generation, you can go back to previously recorded values and run the modified algorithm to come up with new estimates for the rest of the attributes. Fyodor and others have put a lot of thought and effort into all of this. Much of which is well documented at http://nmap.org/osdetect/ Brandon On Tue, 19 Feb 2008 12:55:57 +0000 Kathy Simm <kathys39 () hotmail com> wrote:
I'm working on a parser for xml output of nmap and I'm trying to figure out what exactly what the 3 items below really are and how they are generated? Can anyone enlighten me? Thanks - tcpsequence index class difficulty values I'm currently running nmap with -vv options and -oX xmlfilename.xml options. Thank you- Kathy
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFHvKJuqaGPzAsl94IRAp68AJ4o8Ggiw66S1JJ+KM2UqSbsajz1PACdEe2W inJu0gHGwxZ1rPIyxcEWH7k= =xKHy -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nmap questions - what is "tcpsequence index", "class" and how are they derived? Kathy Simm (Feb 19)
- Re: nmap questions - what is "tcpsequence index", "class" and how are they derived? Brandon Enright (Feb 20)
- Re: nmap questions - what is "tcpsequence index", "class" and how are they derived? Brandon Enright (Feb 20)
- Re: nmap questions - what is "tcpsequence index", "class" and how are they derived? Brandon Enright (Feb 20)