Nmap Development mailing list archives
Re: Uptime estimates and TCP timestamp offsets
From: David Fifield <david () bamsoftware com>
Date: Tue, 26 Aug 2008 15:32:30 -0600
On Mon, Aug 18, 2008 at 06:02:58PM -0600, David Fifield wrote:
What do we do? Nmap already throws out very long uptimes, but a plausible uptime (like scanme's 47 days) can still be wrong. I don't think there's a way to detect an operating system adding a random offset to its timestamps, unless you scan across boots. Even though it can be fooled, the uptime calculation isn't useless--it still works for most OSs out there. Maybe just label it "Uptime guess"?
Because the uptime estimation can be completely inaccurate but it is still useful in many cases, "Uptime" is now "Uptime guess" and it's printed only in verbose mode. The issue with scanme appears to have been a simple counter overflow, not SYN cookies or anything like that. Mac OS X does randomize its initial TCP timestamp for the express purpose of frustrating attempts to learn the uptime. The patch and announcement are http://lists.apple.com/archives/publicsource-modifications/2002/Jul/msg00001.html http://lists.apple.com/archives/security-announce/2003/Oct/msg00001.html It appears that OpenBSD used to do this but doesn't any more. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: Uptime estimates and TCP timestamp offsets, (continued)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets Brandon Enright (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- RE: Uptime estimates and TCP timestamp offsets Dario Ciccarone (dciccaro) (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 18)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 19)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 19)
- Re: Uptime estimates and TCP timestamp offsets Brandon Enright (Aug 19)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 19)
- Re: Uptime estimates and TCP timestamp offsets David Fifield (Aug 26)
- Re: Uptime estimates and TCP timestamp offsets Michael Pattrick (Aug 18)