Difference between pages "TCP timestamps" and "Converting Binary Plists"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(New page: '''TCP timestamps''' are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below). Th...)
 
 
Line 1: Line 1:
'''TCP timestamps''' are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below).
+
Binary plists are the files that Apple products use to store information. The easiest way to view them is to convert them to xml.
  
These calculated uptimes (and boot times) can help in detecting hidden network-enabled operating systems (see [[TrueCrypt]]), linking spoofed [[IP]] and [[MAC]] addresses together, linking [[IP]] addresses with Ad-Hoc wireless APs, etc.
+
The program plutil is native to OSX (as of 10.2), however it is also included when iTunes is installed on a Windows PC.
  
== Supported Operating Systems ==
+
plutil on a Windows PC is stored in:
 +
Program Files (x86)\Common Files\Apple\Apple Application Support
 +
Which can be added to the PATH in Environmental variables so plutil can be run from anywhere
  
* BSD/OS
+
To convert Binary plists to XML run the command:
* [[FreeBSD]], but not the default configuration in versions 3 to 4.3
+
'''plutil -convert xml1 file.plist'''
* HP-UX, recent versions
+
* IRIX
+
* [[Linux]], kernel 2.1 and later
+
* NetApp NetCache
+
* Solaris 2.6 and later
+
* [[Windows]] 2000, 2003, XP and Vista
+
  
== Limitations ==
 
  
Some operating systems do not send TCP timestamps unless incoming TCP SYN packets will have this option enabled.
 
  
== Method ==
 
  
* Find all TCP packets with timestamp option (in [[Wireshark]] use following display filter: ''tcp.options.time_stamp'');
 
* Calculate target's clock frequency (e.g. 100 Hz or 1000 Hz) by analyzing two (or more) TCP timestamps in a certain period of time;
 
* Use this frequency to calculate uptime.
 
 
Following tools can automate this process:
 
* [[Nmap]] (only active scan)
 
  
 
== Links ==
 
== Links ==
* [http://rfc.net/rfc1323.html RFC 1323]
+
plutil man page - [[http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/plutil.1.html]]
* http://uptime.netcraft.com/
+

Revision as of 19:20, 9 September 2011

Binary plists are the files that Apple products use to store information. The easiest way to view them is to convert them to xml.

The program plutil is native to OSX (as of 10.2), however it is also included when iTunes is installed on a Windows PC.

plutil on a Windows PC is stored in: Program Files (x86)\Common Files\Apple\Apple Application Support Which can be added to the PATH in Environmental variables so plutil can be run from anywhere

To convert Binary plists to XML run the command: plutil -convert xml1 file.plist



Links

plutil man page - [[1]]