Re: nmap questions - what is "tcpsequence index", "class" and how are they derived?

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kathy,

I didn't see an answer to this so here goes:

In order to provide reliable, in-order delivery with performance
scaling, etc, TCP needs to use use sequence numbers to keep track of of
the data stream.

It turns out that if the first of these sequence numbers is predictable
all sorts of TCP attacks are opened up.  See Michal Zalewski's excelent
writeup on the subject http://lcamtuf.coredump.cx/newtcp/

As part of Nmap's OS fingerprinting, several sequence numbers are
analyzed to see if there is a (obvious) pattern to how they are
generated.

Here is example XML output:

<tcpsequence index="264" class="unknown class" difficulty="Good luck!" 
values="B70D64EC,D5FA08F,9C7B3F07,A24D55AB,A892F996,454D4CD4" />

The "index" attribute is an integer number that attempts to estimate
the difficulty of predicting another sequence number.  An index of 1 is
really really easy (Trivial Joke) and as the number increases the
difficulty increases.

The "class" attribute is a measure of what algorithm is being used.  If
each sequence number were 1 greater than the last the class would be
incremental.  If it were 64,000 greater than the last it would be 64k
rule, etc.

The "difficulty" attribute is an English name for the index number.
That is, There are a few classes, "Trivial Joke", "Worthy Challenge",
and "Good Luck".  There may be more but this is all from memory.  Each
of those names corresponds to some range of index numbers.  For
example, "Trivial Joke" might correspond to index >= 1 and <= 5.

The "values" attribute is the raw initial TCP sequence numbers (in hex)
of several TCP packets received from the target during the OS
fingerprinting.  It is these values that Nmap does all the math on to
determine the rest of the attributes.  The really nice thing about
including the raw numbers is that if some detectable flaw is ever found
in a OS's sequence generation, you can go back to previously recorded
values and run the modified algorithm to come up with new estimates for
the rest of the attributes.

Fyodor and others have put a lot of thought and effort into all of
this.  Much of which is well documented at http://nmap.org/osdetect/

Brandon


On Tue, 19 Feb 2008 12:55:57 +0000
Kathy Simm <kathys39 () hotmail com> wrote:

> I'm working on a parser for xml output of nmap and I'm trying to
> figure out what exactly what the 3 items below really are and how
> they are generated?  Can anyone enlighten me?  Thanks -
>
> tcpsequence index
> class
> difficulty
> values
>
> I'm currently running nmap with -vv options and -oX xmlfilename.xml
> options.  
>
> Thank you-
>
> Kathy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHvKJuqaGPzAsl94IRAp68AJ4o8Ggiw66S1JJ+KM2UqSbsajz1PACdEe2W
inJu0gHGwxZ1rPIyxcEWH7k=
=xKHy
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org