Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-03-2005, 04:29 AM   #1
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 455

Rep: Reputation: 30
nmap - TCP Sequence Prediction

Can anyone tell me which are the classes of TCP Sequence Prediction that nmap uses? What do they mean? Which is the interval between difficulty can be?

Old 02-09-2005, 01:17 AM   #2
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 65
From this article at the nmap site (originally from network-magazine)

The final stage uses SYN packets to probe for initial sequence
numbers. Nmap sends a couple of resets first to the open port, then
sends six packets with just SYN set (the normal method for opening a
TCP connection), followed each time with a reset (a TCP header with
reset and ACK flags set, which aborts the connection). The sequence
numbers in packets sent increase incrementally by one each time; this
is abnormal behavior but is characteristic of sequence number
collectors, such as rbone and the unpublished tool used to take down
security specialist Tsutomo Shimomura's site on Christmas Day, 1994
(see "Source Address Spoofing," May 2000).

Nmap collects the initial sequence numbers received from the target
and looks for a pattern in the way they are incremented. Really old
Unix systems still use a constant increment, while newer and more
secure systems use a random increment. Newer Microsoft stacks use a
time-dependent increment, which might make them vulnerable if they ran
a Unix service such as rlogind (which is not the case).
Essential reading on the topic:

I believe nmap uses an algorithm simiilar to that described in the second paper.
Old 02-09-2005, 03:16 AM   #3
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 455

Original Poster
Rep: Reputation: 30
that is what I was looking for.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
nmap ? how do i do nmap in linux ? command not found abbasakhtar Linux - Newbie 2 01-02-2011 02:08 AM
A little prediction titanium_geek LQ Suggestions & Feedback 5 09-15-2005 05:05 PM
Woody 3.0 Open Ports 1470/tcp/uaiact 1518/tcp/vpvd What for?How can I remove them? alexxxis Debian 5 07-05-2004 06:18 PM
Nmap showed 6000/tcp open X11. How do I keep this from starting? jdruin Linux - Security 2 11-22-2003 08:54 AM
close port 6000/tcp 515/tcp SchwipSchwap Linux - Newbie 1 09-12-2002 09:24 AM

All times are GMT -5. The time now is 06:44 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration