Penetration Testing mailing list archives
Re: Getting a Machines Uptime Remotely
From: Erik Kamerling <ekamerling () snaplen com>
Date: Sun, 5 Feb 2006 16:34:41 -0500
Hi Robert, On Friday 03 February 2006 05:56, Pete Herzog wrote:
Windows, however, does not provide timestamp information in TCP and rarely in the timestamp option of ICMP (nmap can request this as -PP).
However, you can get a Windows machine to *start timestamping if you have control of a machine that the Win box connects to, or can act in a MiTM capacity. Kohno, Broido, and Claffy use this technique in their "Remote Physical Device Fingerprinting" paper. It's an intentional divergence from RFC 1323 AFAIK. You can do this as follows: We'll masquerade as a HTTP server in this instance. Located at 10.10.10.6. The Windows machine is 10.10.10.4 10.10.10.4 makes a request to the web server. The port pairings are 2573 and 80. 10.10.10.4 2573-->80 [SYN] Seq=2462637611 Ack=0 10.10.10.6 80-->2573 [SYN-ACK] Seq=1 Ack=2462637612 TSV=3962233894 TSER=0 *we turned on timestamp on the SYN-ACK 10.10.10.4 2573-->80 [ACK] Seq=2462637612 Ack=2 TSV=846843 TSER=3962233894 *windows responds by starting to timestamp Here is a simplified capture of forcing a timestamp to go on. No. Time Source Destination Protocol Info 1 0.000000 10.10.10.4 10.10.10.6 TCP 2573
http [SYN] Seq=2462637611 Ack=0 Win=16384 Len=0 MSS=1460
2 2.922695 10.10.10.4 10.10.10.6 TCP 2573
http [SYN] Seq=2462637611 Ack=0 Win=16384 Len=0 MSS=1460
3 8.932076 10.10.10.4 10.10.10.6 TCP 2573
http [SYN] Seq=2462637611 Ack=0 Win=16384 Len=0 MSS=1460
4 15.136534 10.10.10.6 10.10.10.4 TCP http
2573 [SYN, ACK] Seq=1 Ack=2462637612 Win=512 Len=0 TSV=3962233894 TSER=0
5 15.138599 10.10.10.4 10.10.10.6 TCP 2573
http [ACK] Seq=2462637612 Ack=2 Win=16616 Len=0 TSV=846843 TSER=3962233894
6 15.140258 10.10.10.4 10.10.10.6 HTTP GET / HTTP/1.1 7 27.059106 10.10.10.4 10.10.10.6 HTTP GET / HTTP/1.1 Note that three retransmitted SYNs came in before I could get the proper Seq number written in and sent on its way. (you could easily script it to save yourself the scramble) But once the proper Seq num was sent along on a SYN-ACK with tcp timestamp activated, the Windows box starts stamping. It even continues to stamp through it two subsequent GETs. Turn it on and it stays on it seems. You could most easily accomplish this with hping, scapy, or some similar tool. Just wait until the target machine makes a connection to you, read the Seq number on the SYN and then craft a properly sequenced response with the timestamp flag set on. Like this. Wait until the SYN comes in and record the Seq number. Now put it into a SYN-ACK response with hping, incrementing by one, and don't forget [--tcp-timestamp]. You only need to send one packet [-c 1]. [test@timestamper]# /usr/sbin/hping 10.10.10.4 -SA -p 2573 -s 80 -M 1 -L 2462637612 -c 1 --tcp-timestamp HPING 10.10.10.4 (eth0 10.10.10.4): SA set, 40 headers + 0 data bytes len=52 ip=10.10.10.4 ttl=128 DF id=20272 sport=2573 flags=A seq=0 win=16616 rtt=70.8 ms TCP timestamp: tcpts=846843 --- 10.10.10.4 hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 70.8/70.8/70.8 ms [test@timestamper]# Here is a dump of this hping derived packet: Transmission Control Protocol, Src Port: http (80), Dst Port: 2573 (2573), Seq: 1, Ack: 2462637612, Len: 0 Source port: http (80) Destination port: 2573 (2573) Sequence number: 1 Acknowledgement number: 2462637612 Header length: 32 bytes Flags: 0x0012 (SYN, ACK) Window size: 512 Checksum: 0x00f9 [correct] Options: (12 bytes) NOP NOP Time stamp: tsval 3962233894, tsecr 0 And here is the response from the Windows machine: Transmission Control Protocol, Src Port: 2573 (2573), Dst Port: http (80), Seq: 2462637612, Ack: 2, Len: 0 Source port: 2573 (2573) Destination port: http (80) Sequence number: 2462637612 Acknowledgement number: 2 Header length: 32 bytes Flags: 0x0010 (ACK) Window size: 16616 Checksum: 0xd609 [correct] Options: (12 bytes) NOP NOP Time stamp: tsval 846843, tsecr 3962233894 Note a timestamp value and a timestamp echo reply. It helps if you are silently dropping ingress SYNs on the machine that you perform this test on. Make sure you don't have a legitimate listening daemon (HTTPD in this case) that will try to finish the handshake before you can do this. This was done on a LAN, but you should be able to locate a machine in an enclave or anywhere really and still accomplish this maneuver. Here's a good article on counting machines behind a NAT using timestamp. It also contains an informative section on calculating uptime by Tsval. http://www.phrack.org/show.php?p=63&a=3 "TCP Timestamp To count Hosts behind NAT" Hope this helps. Erik Kamerling ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Getting a Machines Uptime Remotely Holstein, Robert - BLS CTR (Feb 02)
- Re: Getting a Machines Uptime Remotely Steve Friedl (Feb 02)
- Re: Getting a Machines Uptime Remotely Bojan Zdrnja (Feb 04)
- RE: Getting a Machines Uptime Remotely Paul Melson (Feb 05)
- RE: Getting a Machines Uptime Remotely drm (Feb 05)
- <Possible follow-ups>
- RE: Getting a Machines Uptime Remotely Holstein, Robert - BLS CTR (Feb 02)
- Re: Getting a Machines Uptime Remotely Pete Herzog (Feb 05)
- Re: Getting a Machines Uptime Remotely Erik Kamerling (Feb 05)
- Re: Getting a Machines Uptime Remotely Bojan Zdrnja (Feb 05)
- Re: Getting a Machines Uptime Remotely Pete Herzog (Feb 05)
- Re: Getting a Machines Uptime Remotely ROB DIXON (Feb 05)
- RE: Getting a Machines Uptime Remotely Ray Sawyer (Feb 05)