LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-03-2005, 03:29 AM   #1
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Rep: Reputation: 30
nmap - TCP Sequence Prediction


Hi,
Can anyone tell me which are the classes of TCP Sequence Prediction that nmap uses? What do they mean? Which is the interval between difficulty can be?

ddaas
 
Old 02-09-2005, 12:17 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
From this article at the nmap site (originally from network-magazine)

Quote:
The final stage uses SYN packets to probe for initial sequence
numbers. Nmap sends a couple of resets first to the open port, then
sends six packets with just SYN set (the normal method for opening a
TCP connection), followed each time with a reset (a TCP header with
reset and ACK flags set, which aborts the connection). The sequence
numbers in packets sent increase incrementally by one each time; this
is abnormal behavior but is characteristic of sequence number
collectors, such as rbone and the unpublished tool used to take down
security specialist Tsutomo Shimomura's site on Christmas Day, 1994
(see "Source Address Spoofing," May 2000).

Nmap collects the initial sequence numbers received from the target
and looks for a pattern in the way they are incremented. Really old
Unix systems still use a constant increment, while newer and more
secure systems use a random increment. Newer Microsoft stacks use a
time-dependent increment, which might make them vulnerable if they ran
a Unix service such as rlogind (which is not the case).
Essential reading on the topic:
http://www.cert.org/advisories/CA-2001-09.html
http://www.bindview.com/Support/RAZO...001/tcpseq.cfm
http://www.iu.hio.no/~haugerud/ids/SAATSNA_OYL.pdf

I believe nmap uses an algorithm simiilar to that described in the second paper.
 
Old 02-09-2005, 02:16 AM   #3
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Original Poster
Rep: Reputation: 30
thanks,
that is what I was looking for.


ddaas
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nmap ? how do i do nmap in linux ? command not found abbasakhtar Linux - Newbie 2 01-02-2011 01:08 AM
A little prediction titanium_geek LQ Suggestions & Feedback 5 09-15-2005 04:05 PM
Woody 3.0 Open Ports 1470/tcp/uaiact 1518/tcp/vpvd What for?How can I remove them? alexxxis Debian 5 07-05-2004 05:18 PM
Nmap showed 6000/tcp open X11. How do I keep this from starting? jdruin Linux - Security 2 11-22-2003 07:54 AM
close port 6000/tcp 515/tcp SchwipSchwap Linux - Newbie 1 09-12-2002 08:24 AM


All times are GMT -5. The time now is 03:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration