Bugtraq mailing list archives
Re: TCP Timestamping and Remotely gathering uptime information
From: Fyodor <fyodor () INSECURE ORG>
Date: Wed, 14 Mar 2001 00:30:29 -0800
On Tue, 13 Mar 2001, Bret wrote:
TCP Timestamping - Obtaining System Uptime Remotely By Bret McDanel bret () rehost com March 11, 2001
[ CUT ]
I did my testing under linux, and in order to easily retrieve the remote Timestamp I had to make a small kernel change.
Your report provides an excellent description (and background) of the problem. But for people who want to explore this without kernel recompilation and for those who aren't using Linux, I would like to add that this remote-uptime capability has been available to Nmap users (using raw TCP packets) for more than a month. Troels Walsted Hansen posted a patch to the nmap-dev list on Feb. 3 [1]. I have also included my own implementation in the last few Nmap releases. Nmap is available for free download (with source) at http://www.insecure.org/nmap/ . Grab version 2.54BETA22 . Another under-exploited TCP/IP property is IP.ID prediction. Antirez and others have posted in recent years about the fun you can have with systems that simply increment this field for each packet sent. Yet most operating sytems remain vulnerable. Recent versions of Nmap will report on this with the "-O -v" options. One other known TCP/IP sequencing problem is ISN prediction. Over the years this hole has been gradually declining. Lately we have seen that even Cisco has began to recognize the problem! But there are still plenty of susceptible machines out there. Nmap offers a report on this as well (not a new feature). Here is a simple usage example (some verbose output elided): amy~#nmap -sS -O -F -v ssh.com Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Interesting ports on www.fi.ssh.com (193.64.193.132): (The 1082 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 53/tcp open domain 80/tcp open http 6001/tcp open X11:1 Remote operating system guess: NetBSD 1.3 - 1.3.3 little endian arch Uptime 320.671 days (since Thu Apr 27 09:03:19 2000) TCP Sequence Prediction: Class=random positive increments Difficulty=182669 (Good luck!) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds amy~# Anyway, sorry to plug my own software. But I thought some people might find this useful. Cheers, Fyodor [1] http://lists.insecure.org/nmap-dev/2001/Jan-Mar/0006.html
Current thread:
- TCP Timestamping and Remotely gathering uptime information Bret (Mar 13)
- Re: TCP Timestamping and Remotely gathering uptime information Fyodor (Mar 14)
- <Possible follow-ups>
- Re: TCP Timestamping and Remotely gathering uptime information Bret (Mar 15)
- Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 16)
- Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 16)
- Re: TCP Timestamping and Remotely gathering uptime information Valdis Kletnieks (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Saint skullY the Dazed (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information arivanov (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Stephen White (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information bert hubert (Mar 20)
- Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Darren Reed (Mar 20)
- Re: Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Jason R Thorpe (Mar 22)