Bugtraq mailing list archives

Re: TCP Timestamping and Remotely gathering uptime information

From: Fyodor <fyodor () INSECURE ORG>
Date: Wed, 14 Mar 2001 00:30:29 -0800

On Tue, 13 Mar 2001, Bret wrote:

          TCP Timestamping - Obtaining System Uptime Remotely
                 By Bret McDanel bret () rehost com
                           March 11, 2001

[ CUT ]


I did my testing under linux, and in order to easily retrieve the remote
Timestamp I had to make a small kernel change.


Your report provides an excellent description (and background) of the
problem.  But for people who want to explore this without kernel
recompilation and for those who aren't using Linux, I would like to add
that this remote-uptime capability has been available to Nmap users (using
raw TCP packets) for more than a month.  Troels Walsted Hansen posted a
patch to the nmap-dev list on Feb. 3 [1].  I have also included my own
implementation in the last few Nmap releases.  Nmap is available for free
download (with source) at http://www.insecure.org/nmap/ .  Grab version
2.54BETA22 .

Another under-exploited TCP/IP property is IP.ID prediction.  Antirez and
others have posted in recent years about the fun you can have with systems
that simply increment this field for each packet sent.  Yet most operating
sytems remain vulnerable.  Recent versions of Nmap will report on this
with the "-O -v" options.

One other known TCP/IP sequencing problem is ISN prediction.  Over the
years this hole has been gradually declining.  Lately we have seen that
even Cisco has began to recognize the problem!  But there are still plenty
of susceptible machines out there.  Nmap offers a report on this as well
(not a new feature).

Here is a simple usage example (some verbose output elided):

amy~#nmap -sS -O -F -v ssh.com

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on www.fi.ssh.com (193.64.193.132):
(The 1082 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
53/tcp     open        domain
80/tcp     open        http
6001/tcp   open        X11:1

Remote operating system guess: NetBSD 1.3 - 1.3.3 little endian arch
Uptime 320.671 days (since Thu Apr 27 09:03:19 2000)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=182669 (Good luck!)
IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds
amy~#


Anyway, sorry to plug my own software.  But I thought some people
might find this useful.

Cheers,
Fyodor

[1] http://lists.insecure.org/nmap-dev/2001/Jan-Mar/0006.html

Current thread:

TCP Timestamping and Remotely gathering uptime information Bret (Mar 13)
- Re: TCP Timestamping and Remotely gathering uptime information Fyodor (Mar 14)
- <Possible follow-ups>
- Re: TCP Timestamping and Remotely gathering uptime information Bret (Mar 15)
  - Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 16)
  - Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 16)
    - Re: TCP Timestamping and Remotely gathering uptime information Valdis Kletnieks (Mar 19)
    - Re: TCP Timestamping and Remotely gathering uptime information Saint skullY the Dazed (Mar 19)
    - Re: TCP Timestamping and Remotely gathering uptime information arivanov (Mar 19)
  - Re: TCP Timestamping and Remotely gathering uptime information Stephen White (Mar 19)
    - Re: TCP Timestamping and Remotely gathering uptime information bert hubert (Mar 20)
    - Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Darren Reed (Mar 20)
    - Re: Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Jason R Thorpe (Mar 22)

(Thread continues...)