Re: Nmap Uptime Guessing

["Hans Nilsson" <hasse_gg () ftml net>]

Does Windows send TCP timestamps after Win XP SP2?

Either way it seems you can control it in the registry:
http://www.psc.edu/networking/projects/tcptune/OStune/winxp/winxp_stepbystep.html


On Tue, 03 Apr 2007 01:41:49 +0200, "Gisle Vanem" <giva () bgnett no> said:
> "J. Perrymon" <josh () packetfocus com> wrote:
>
> > How does Nmap determine uptime? From what I read this is returned from
> > the TCP stack and not ICMP? Or is it both..
>
> > From the tcp-option TCP_TIMESTAMP in rfc-1323.
> Specifically the 1st value in this option is 'ts_now', the 2nd is
> 'ts_echo'.
> But mind you, the 'ts_now' cannot be trusted to really be related to
> uptime. It's just a increasing milli-sec counter. What the starting value
> is, is highly variable.
>
> But the man himself said this a long time ago:
>
> <quote>
>   Nmap does several probes over a few seconds to determine how fast the
>   counter is incrementing.  Then it can extrapolate back to when the
>   counter was zero (generally boot time).  Nmap also used the timestamp
>   frequency it determines as part of OS fingerprinting.
> </quote>
>
> > How could you protect devices(Win, *nix)  in a DMZ from this?
>
> I'm not sure you can w/o a tcp-option rewrite proxy (if one such exists).
>
> --gv
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org
-- 
  Hans Nilsson
  hasse_gg () ftml net

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org