Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Uptime estimates and TCP timestamp offsets

From: David Fifield <david () bamsoftware com>
Date: Tue, 26 Aug 2008 15:32:30 -0600
On Mon, Aug 18, 2008 at 06:02:58PM -0600, David Fifield wrote:

What do we do? Nmap already throws out very long uptimes, but a
plausible uptime (like scanme's 47 days) can still be wrong. I don't
think there's a way to detect an operating system adding a random offset
to its timestamps, unless you scan across boots. Even though it can be
fooled, the uptime calculation isn't useless--it still works for most
OSs out there. Maybe just label it "Uptime guess"?


Because the uptime estimation can be completely inaccurate but it is
still useful in many cases, "Uptime" is now "Uptime guess" and it's
printed only in verbose mode.

The issue with scanme appears to have been a simple counter overflow,
not SYN cookies or anything like that. Mac OS X does randomize its
initial TCP timestamp for the express purpose of frustrating attempts to
learn the uptime. The patch and announcement are

http://lists.apple.com/archives/publicsource-modifications/2002/Jul/msg00001.html
http://lists.apple.com/archives/security-announce/2003/Oct/msg00001.html

It appears that OpenBSD used to do this but doesn't any more.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: