Nmap Development mailing list archives

Re: Uptime estimates and TCP timestamp offsets

From: David Fifield <david () bamsoftware com>
Date: Mon, 18 Aug 2008 20:27:18 -0600

On Mon, Aug 18, 2008 at 09:36:25PM -0400, Michael Pattrick wrote:

On Mon, Aug 18, 2008 at 8:02 PM, David Fifield <david () bamsoftware com> wrote:
-snip-

I scanned a Mac OS X 10.5.4 machine moments after booting it up. I
repeated the experiment four times, rebooting each time. I got

       Ignoring claimed uptime of 1219 days
       Ignoring claimed uptime of 1181 days
       Uptime: 644.073 days
       Ignoring claimed uptime of 871 days


With the Debian Lenny kernel, I get:
Uptime: 198.840 days (since Sat Feb 02 00:01:06 2008)
Uptime: 199.637 days (since Fri Feb 01 04:55:34 2008)
Uptime: 199.637 days (since Fri Feb 01 04:57:27 2008)
Uptime: 198.838 days (since Sat Feb 02 00:10:15 2008)


Does it change to a different value after you reboot?

The real uptime should be less then one day, so something is clearly
wrong. Assuming all major Linux, BSD, OSX, and Windows OS's randomize
this then Nmap shouldn't include the information or should warn the
user about how inaccurate it is.


It seems to be something new, or it probably would have been noticed
earlier. The Linux patch I linked to was from February 2008. So far it
was been seen in recent Linux 2.6 and in Mac OS X. I don't know about
Windows.

However, it could be that Windows, a version of BSD, or some other
major OS doesn't currently randomize this. In this hypothetical case
OS detection could be used to determine if the uptime is good or not
and display it based on that - defaulting to not display it. Though
this may be difficult to code and error prone.


I thought of that too, and I agree it would be clunky and unreliable.
Plus there is the problem of how to represent the information. It
doesn't seem worth adding something to nmap-os-db to record if an OS is
known to randomize its initial TCP timestamp.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets Arturo 'Buanzo' Busleiman (Aug 18)
  - Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 18)
  - Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
    - Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 18)
  - Re: Uptime estimates and TCP timestamp offsets Brandon Enright (Aug 18)
- RE: Uptime estimates and TCP timestamp offsets Dario Ciccarone (dciccaro) (Aug 18)
  - Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
    - Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 19)
  - Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 19)
    - Re: Uptime estimates and TCP timestamp offsets Brandon Enright (Aug 19)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 26)