Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Remote fingerprinting/uptime (was Re: TCP Timestamping ...)

From: Darren Reed <avalon () COOMBS ANU EDU AU>
Date: Tue, 20 Mar 2001 20:23:52 +1100
I'm not sure the "TCP timestamping allows fingerprinting" holds a lot of
water.  nmap's capabilities for determining what version of an OS is at
the other end are pretty complete.  So far as TCP fingerprints go, it's
how often it changes (and by how much) that's at issue, not just what it
gets seeded to.  While nmap fingerprinting may not tell you how long a
box has been up, it has capabilities to tell you what version the kernel
is regardless of how long it has been up.

Changing a system's algorithm for TCP timestamping just introduces yet
another mechanism for nmap to use in determining what version of kernel
is at the other end.

So, does "fixing" the TCP timestamping actually help or make matters
worse - i.e. easier for an attacker ?  If I know a kernel is going
to be OpenBSD pre-2.8 (for example), is that more or less useful than
knowing it has been up 60 days ?

Just to recap, knowing a host has been up for n days only means you
know it can't be an OS/kernel that has been released in those n days
and any associated information that goes with that.

You know nothing else.  If a box has been up 50 days then that doesn't
tell you it is 2.0 or 2.2 or 2.3 or 2.4.  It just tells you it can't be
anything that's been released in less than 50 days.

Darren
Previous By Date Next
Previous By Thread Next

Current thread: