Nmap Development mailing list archives
Re: Clock Skew
From: "Hans Nilsson" <hasse_gg () ftml net>
Date: Fri, 03 Nov 2006 16:34:41 -1100
Fun that someone found it interesting. Anyways I sent an e-mail to Steven J. Murdoch who talked some about this at 22C3 and did the paper I linked to in my previous post. And apparently a version of hping3 has support for measuring clock skew, he also had some code of his own but he will not release it until his thesis is complete. Check it out: http://www.linux.it/~gaetano/blog/2006/09/18/hping3-clock-skew-detection/ On Thu, 2 Nov 2006 19:11:45 -0800, doug () hcsw org said:
Hi Hans and nmap-dev! I agree this is an incredibly interesting topic! For anyone reading this that isn't familiar with the concept, I highly recommend reading the KohnoBroidoClaffy paper that Hans references below. As far as I know, there are no production quality implementations of this technique publicly available. As the Kohno paper discusses, there are many possibilities with this technique and I think it could potentially be an extremely valuable addition to our favourite security scanner Nmap. Some possibilities: * Detecting when different IP addresses are handled by the same piece of hardware (for instance virtual private servers). * Finding the identities of clients connecting to your network even if they change their MAC addresses. * Firewall/load balancer/etc discovery. One nice thing about clock skew is that it is quite difficult to obfuscate or mask the information revealed about the target. According to Kohno et al, even when the target regularly synchronises with NTP it is still possible to detect clock skew Even on OpenBSD, which randomises the initial TCP timestamps, it is my understanding that this technique will still work perfectly fine as long as you can maintain a TCP connection to the target for a few minutes. Anyways, I think Hans has a great idea and I would love to see this functionality added to Nmap. Unfortunatley, I think it would be a lot of work to do this properly. Like my Qscan patch, this sort of fingerprinting is statistical in nature and, in that respect, differs greatly from Nmap's current (mostly) deterministic behaviour. That said, I'll be the first person to applaud anyone who creates a patch! Best, Doug On Wed, Nov 01, 2006 at 07:53:08PM -1100 or thereabouts, Hans Nilsson wrote:Any thought about implementing the measuring of clock skew in Nmap? Basically you can detect if two hosts are the same and alot of interesting things from this value. For example, are these two hosts just the same firewall spoofing me or not, does this IP have several boxes behind it, how many computers are behind a NAT etc. Could possibly be used for OS-detection too. Very interesting stuff if you ask me. http://www.zdnet.com.au/news/security/soa/Tracking_PCs_anywhere_on_the_Net/0,130061744,139183346,00.htm http://www.caida.org/publications/papers/2005/fingerprinting/KohnoBroidoClaffy05-devicefingerprinting.pdf http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf -- Hans Nilsson hasse_gg () ftml net -- http://www.fastmail.fm - A no graphics, no pop-ups email service _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
-- Hans Nilsson hasse_gg () ftml net -- http://www.fastmail.fm - mmm... Fastmail... _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Clock Skew Hans Nilsson (Nov 01)
- Re: Clock Skew doug (Nov 02)
- Re: Clock Skew Hans Nilsson (Nov 03)
- Re: Clock Skew Hans Nilsson (Nov 04)
- Re: Clock Skew Hans Nilsson (Nov 03)
- RE: Clock Skew Martin O'Neal (Nov 03)
- Re: Clock Skew doug (Nov 02)