Difference between pages "TCP timestamps" and "Executable"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(New page: '''TCP timestamps''' are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below). Th...)
 
 
Line 1: Line 1:
'''TCP timestamps''' are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below).
+
{{expand}}
  
These calculated uptimes (and boot times) can help in detecting hidden network-enabled operating systems (see [[TrueCrypt]]), linking spoofed [[IP]] and [[MAC]] addresses together, linking [[IP]] addresses with Ad-Hoc wireless APs, etc.
+
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
  
== Supported Operating Systems ==
+
There are multiple types of executables:
 +
* Scripts
 +
*
 +
* DOS, Windows
  
* BSD/OS
+
== External Links ==
* [[FreeBSD]], but not the default configuration in versions 3 to 4.3
+
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
* HP-UX, recent versions
+
* IRIX
+
* [[Linux]], kernel 2.1 and later
+
* NetApp NetCache
+
* Solaris 2.6 and later
+
* [[Windows]] 2000, 2003, XP and Vista
+
  
== Limitations ==
+
=== MZ, PE/COFF ===
 +
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
 +
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)]
 +
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
  
Some operating systems do not send TCP timestamps unless incoming TCP SYN packets will have this option enabled.
+
== Tools ==
  
== Method ==
+
=== MZ, PE/COFF ===
 
+
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
* Find all TCP packets with timestamp option (in [[Wireshark]] use following display filter: ''tcp.options.time_stamp'');
+
* Calculate target's clock frequency (e.g. 100 Hz or 1000 Hz) by analyzing two (or more) TCP timestamps in a certain period of time;
+
* Use this frequency to calculate uptime.
+
 
+
Following tools can automate this process:
+
* [[Nmap]] (only active scan)
+
 
+
== Links ==
+
* [http://rfc.net/rfc1323.html RFC 1323]
+
* http://uptime.netcraft.com/
+

Revision as of 16:31, 23 October 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple types of executables:

  • Scripts
  • DOS, Windows

Contents

External Links

MZ, PE/COFF

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files