Nmap Development mailing list archives
Re: Uptime estimates and TCP timestamp offsets
From: David Fifield <david () bamsoftware com>
Date: Mon, 18 Aug 2008 20:27:18 -0600
On Mon, Aug 18, 2008 at 09:36:25PM -0400, Michael Pattrick wrote:
On Mon, Aug 18, 2008 at 8:02 PM, David Fifield <david () bamsoftware com> wrote: -snip-I scanned a Mac OS X 10.5.4 machine moments after booting it up. I repeated the experiment four times, rebooting each time. I got Ignoring claimed uptime of 1219 days Ignoring claimed uptime of 1181 days Uptime: 644.073 days Ignoring claimed uptime of 871 daysWith the Debian Lenny kernel, I get: Uptime: 198.840 days (since Sat Feb 02 00:01:06 2008) Uptime: 199.637 days (since Fri Feb 01 04:55:34 2008) Uptime: 199.637 days (since Fri Feb 01 04:57:27 2008) Uptime: 198.838 days (since Sat Feb 02 00:10:15 2008)
Does it change to a different value after you reboot?
The real uptime should be less then one day, so something is clearly wrong. Assuming all major Linux, BSD, OSX, and Windows OS's randomize this then Nmap shouldn't include the information or should warn the user about how inaccurate it is.
It seems to be something new, or it probably would have been noticed earlier. The Linux patch I linked to was from February 2008. So far it was been seen in recent Linux 2.6 and in Mac OS X. I don't know about Windows.
However, it could be that Windows, a version of BSD, or some other major OS doesn't currently randomize this. In this hypothetical case OS detection could be used to determine if the uptime is good or not and display it based on that - defaulting to not display it. Though this may be difficult to code and error prone.
I thought of that too, and I agree it would be clunky and unreliable. Plus there is the problem of how to represent the information. It doesn't seem worth adding something to nmap-os-db to record if an OS is known to randomize its initial TCP timestamp. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets Arturo 'Buanzo' Busleiman (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets Brandon Enright (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- RE: Uptime estimates and TCP timestamp offsets Dario Ciccarone (dciccaro) (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 19)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 19)
- Re: Uptime estimates and TCP timestamp offsets Brandon Enright (Aug 19)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 19)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 26)
- Re: Uptime estimates and TCP timestamp offsets Arturo 'Buanzo' Busleiman (Aug 18)