Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Getting a Machines Uptime Remotely

From: Erik Kamerling <ekamerling () snaplen com>
Date: Sun, 5 Feb 2006 16:34:41 -0500
Hi Robert,

On Friday 03 February 2006 05:56, Pete Herzog wrote:

Windows, however, does not provide timestamp information in TCP and
rarely in the timestamp option of ICMP (nmap can request this as -PP).


However, you can get a Windows machine to *start timestamping if you have 
control of a machine that the Win box connects to, or can act in a MiTM 
capacity. Kohno, Broido, and Claffy use this technique in their "Remote 
Physical Device Fingerprinting" paper. It's an intentional divergence from 
RFC 1323 AFAIK. 

You can do this as follows:

We'll masquerade as a HTTP server in this instance. Located at 10.10.10.6. The 
Windows machine is 10.10.10.4

10.10.10.4 makes a request to the web server. The port pairings are 2573 and 
80.

10.10.10.4 2573-->80 [SYN] Seq=2462637611 Ack=0
10.10.10.6 80-->2573 [SYN-ACK] Seq=1 Ack=2462637612 TSV=3962233894 TSER=0
*we turned on timestamp on the SYN-ACK
10.10.10.4 2573-->80 [ACK] Seq=2462637612 Ack=2 TSV=846843 TSER=3962233894
*windows responds by starting to timestamp

Here is a simplified capture of forcing a timestamp to go on.

No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.10.10.4            10.10.10.6            TCP      2573 

http [SYN] Seq=2462637611 Ack=0 Win=16384 Len=0 MSS=1460

      2 2.922695    10.10.10.4            10.10.10.6            TCP      2573 

http [SYN] Seq=2462637611 Ack=0 Win=16384 Len=0 MSS=1460

      3 8.932076    10.10.10.4            10.10.10.6            TCP      2573 

http [SYN] Seq=2462637611 Ack=0 Win=16384 Len=0 MSS=1460

      4 15.136534   10.10.10.6            10.10.10.4            TCP      http 

2573 [SYN, ACK] Seq=1 Ack=2462637612 Win=512 Len=0 TSV=3962233894 TSER=0

      5 15.138599   10.10.10.4            10.10.10.6            TCP      2573 

http [ACK] Seq=2462637612 Ack=2 Win=16616 Len=0 TSV=846843 TSER=3962233894

      6 15.140258   10.10.10.4            10.10.10.6            HTTP     GET / 
HTTP/1.1
      7 27.059106   10.10.10.4            10.10.10.6            HTTP     GET / 
HTTP/1.1

Note that three retransmitted SYNs came in before I could get the proper Seq 
number written in and sent on its way. (you could easily script it to save 
yourself the scramble) But once the proper Seq num was sent along on a 
SYN-ACK with tcp timestamp activated, the Windows box starts stamping. It 
even continues to stamp through it two subsequent GETs. Turn it on and it 
stays on it seems.

You could most easily accomplish this with hping, scapy, or some similar tool. 
Just wait until the target machine makes a connection to you, read the Seq 
number on the SYN and then craft a properly sequenced response with the 
timestamp flag set on.

Like this.

Wait until the SYN comes in and record the Seq number. Now put it into a 
SYN-ACK response with hping, incrementing by one, and don't forget 
[--tcp-timestamp]. You only need to send one packet [-c 1].
 
[test@timestamper]# /usr/sbin/hping 10.10.10.4 -SA -p 2573 -s 80 -M 1 -L 
2462637612 -c 1 --tcp-timestamp
HPING 10.10.10.4 (eth0 10.10.10.4): SA set, 40 headers + 0 data bytes
len=52 ip=10.10.10.4 ttl=128 DF id=20272 sport=2573 flags=A seq=0 win=16616 
rtt=70.8 ms
  TCP timestamp: tcpts=846843

--- 10.10.10.4 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 70.8/70.8/70.8 ms
[test@timestamper]#

Here is a dump of this hping derived packet:

Transmission Control Protocol, Src Port: http (80), Dst Port: 2573 (2573), 
Seq: 1, Ack: 2462637612, Len: 0
    Source port: http (80)
    Destination port: 2573 (2573)
    Sequence number: 1
    Acknowledgement number: 2462637612
    Header length: 32 bytes
    Flags: 0x0012 (SYN, ACK)
    Window size: 512
    Checksum: 0x00f9 [correct]
    Options: (12 bytes)
        NOP
        NOP
        Time stamp: tsval 3962233894, tsecr 0

And here is the response from the Windows machine:

Transmission Control Protocol, Src Port: 2573 (2573), Dst Port: http (80), 
Seq: 2462637612, Ack: 2, Len: 0
    Source port: 2573 (2573)
    Destination port: http (80)
    Sequence number: 2462637612
    Acknowledgement number: 2
    Header length: 32 bytes
    Flags: 0x0010 (ACK)
    Window size: 16616
    Checksum: 0xd609 [correct]
    Options: (12 bytes)
        NOP
        NOP
        Time stamp: tsval 846843, tsecr 3962233894

Note a timestamp value and a timestamp echo reply.

It helps if you are silently dropping ingress SYNs on the machine that you 
perform this test on. Make sure you don't have a legitimate listening daemon 
(HTTPD in this case) that will try to finish the handshake before you can do 
this. 

This was done on a LAN, but you should be able to locate a machine in an 
enclave or anywhere really and still accomplish this maneuver.

Here's a good article on counting machines behind a NAT using timestamp. It 
also contains an informative section on calculating uptime by Tsval.

http://www.phrack.org/show.php?p=63&a=3 
"TCP Timestamp To count Hosts behind NAT"

Hope this helps.

Erik Kamerling 

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: