TCP timestamps

From Forensics Wiki
Revision as of 13:54, 20 July 2008 by .FUF (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below).

These calculated uptimes (and boot times) can help in detecting hidden network-enabled operating systems (see TrueCrypt), linking spoofed IP and MAC addresses together, linking IP addresses with Ad-Hoc wireless APs, etc.

Contents

Supported Operating Systems

  • BSD/OS
  • FreeBSD, but not the default configuration in versions 3 to 4.3
  • HP-UX, recent versions
  • IRIX
  • Linux, kernel 2.1 and later
  • NetApp NetCache
  • Solaris 2.6 and later
  • Windows 2000, 2003, XP and Vista

Limitations

Some operating systems do not send TCP timestamps unless incoming TCP SYN packets will have this option enabled.

Method

  • Find all TCP packets with timestamp option (in Wireshark use following display filter: tcp.options.time_stamp);
  • Calculate target's clock frequency (e.g. 100 Hz or 1000 Hz) by analyzing two (or more) TCP timestamps in a certain period of time;
  • Use this frequency to calculate uptime.

Following tools can automate this process:

  • Nmap (only active scan)

Links