Penetration Testing mailing list archives
Re: Getting a Machines Uptime Remotely
From: Bojan Zdrnja <bojan.zdrnja () gmail com>
Date: Mon, 6 Feb 2006 11:42:05 +1300
Hi Pete, On 2/3/06, Pete Herzog <lists () isecom org> wrote:
Hi, The UPTIME is from the Timestamp of a TCP packet. If you know the OS you can figure out the uptime from the number of milliseconds in the timestamp. Windows, however, does not provide timestamp information in TCP and rarely in the timestamp option of ICMP (nmap can request this as -PP).
Windows will provide TCP timestamp information, but only after the three-way handshake has been established and a packet has been sent to the remote machine (when it replies, it will set the TCP timestamp option). Now, I've seen conflicting reports of what this number is set to. Some reports said that it's a random number, some reports say it's set to 0 when the system reboots. Also, different reports mention different resolution (some say it's number of ticks in 100 ms). I just tested this on my laptop (Windows XP SP2), by issuing a connection to port 135 (firewall is turned off for the test). In one window, on a remote machine, I just setup tcpdump with filter for packets coming from 192.168.0.2 (my laptop), with the A flag on (remember, Windows will not send anything during the three way handshake): $ tcpdump -nn 'src host 192.168.0.2 and tcp port 135 and (tcp[13] = 0x10)' In the other window just telnet to 192.168.0.2 port 135. After the connection is established, enter any bogus data: $ telnet 192.168.0.2 135 Trying 192.168.0.2... Connected to 192.168.0.2. Escape character is '^]'. asd ^] telnet> q Connection closed. Tcpdump will capture a packet: 11:37:08.648979 IP 192.168.0.2.135 > 192.168.0.200.53756: . ack 3451813541 win 65530 <nop,nop,timestamp 58376 627862633> First timestamp is generated by the Windows machine. 58376 looks to me like a clock with 10ms resolution. This would make machine uptime of 97.29 minutes, which is 1 hour and 37 minutes. Uptime.exe on my Windows machine says: D:\>uptime.exe \\LAPTOP has been up for: 0 day(s), 1 hour(s), 41 minute(s), 12 second(s) I would be curious if people can test this on other machines so we can determine if this can be used to calculate remote uptime on Windows machines (I have only one Windows machine at home). Cheers, Bojan ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Getting a Machines Uptime Remotely Holstein, Robert - BLS CTR (Feb 02)
- Re: Getting a Machines Uptime Remotely Steve Friedl (Feb 02)
- Re: Getting a Machines Uptime Remotely Bojan Zdrnja (Feb 04)
- RE: Getting a Machines Uptime Remotely Paul Melson (Feb 05)
- RE: Getting a Machines Uptime Remotely drm (Feb 05)
- <Possible follow-ups>
- RE: Getting a Machines Uptime Remotely Holstein, Robert - BLS CTR (Feb 02)
- Re: Getting a Machines Uptime Remotely Pete Herzog (Feb 05)
- Re: Getting a Machines Uptime Remotely Erik Kamerling (Feb 05)
- Re: Getting a Machines Uptime Remotely Bojan Zdrnja (Feb 05)
- Re: Getting a Machines Uptime Remotely Pete Herzog (Feb 05)
- Re: Getting a Machines Uptime Remotely ROB DIXON (Feb 05)
- RE: Getting a Machines Uptime Remotely Ray Sawyer (Feb 05)