Major bug in gen1 tcp sequence prediction

[Richard van den Berg <richard.vandenberg () ins com>]

I was just troubleshooting the fact that the gen1 OS scan code from nmap
4.20 (and 4.21alpha1) always reports the TCP ISN sequence prediction as
a trivial joke. The solution is a lot easier than I had thought. From
osscan.cc:

            if (si->seqs[seq_response_num] == 0) {
              /* New response found! */
              si->responses++;
              //              si->seqs[seq_response_num] = ntohl(tcp->th_seq); /* TCP ISN */
              si->seqs[seq_response_num] = fake_seqs[seq_response_num]; /* TCP ISN */


Unfortunately the gen1 code is used a lot since it serves as a fallback
when the gen2 code does not find a match.

Can someone please deactivate the fake_seqs[] table for the next nmap
release?

Sincerely,

-- 

Richard van den Berg | Senior Consultant | BT INS | Mob: +31
(0)652071109 | E: richard.vandenberg () bt com | http://bt.ins.com/

This electronic message contains information from BT INS, Inc, which may
be privileged or confidential. The information is intended for use only
by the individual(s) or entity named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of
the contents of this information is strictly prohibited. If you have
received this electronic message in error, please notify me by telephone
or email (to the number or email address above) immediately.

Activity and use of the BT INS, Inc e-mail system is monitored to secure
its effective operation and for other lawful business purposes.
Communications using this system will also be monitored and may be
recorded to secure effective operation and for other lawful business
purposes.

BT INS Inc, 1600 Memorex Drive, Suite 200, Santa Clara California
95050-2842 United States


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org