Hello. This thread is for users of up-to-date Debian SID systems. Run an nmap on localhost and tell me the values of "TCP Sequence Prediction: Difficulty" and "IPID Sequence Generation". Run:

The reason of this request is that, after issuing the above command on my box, I found out the "Difficulty" value surprisingly low [~ 200]; "IPID Seq Gen:" to be "All zeros". I'm trying to find out if this is normal behavior with up-to-date SID boxes or just a personal problem. Also, should anyone know how to "fix" this, please tell me I'm not afraid of custom [configured] kernels, nor modifying the kernel source.

Should this turn out to be a Deb Unstable specific thing, if anyone knows details [i.e. urls to debian mailing list archives about this stuff or whatever]; please let me know.

Well, as a point of reference, on Fedora Core 6 I get:

TCP Sequence Prediction: Class=random positive increments
Difficulty=3603973 (Good luck!)
IPID Sequence Generation: All zeros

TCP Sequence Prediction: Difficulty=201 (Good luck!)
IPID Sequence Generation: All zeros

TCP Sequence Prediction: Class=random positive increments
Difficulty=3559929 (Good luck!)
IPID Sequence Generation: All zeros


On kernel 2.6.18-3-686 (sid). Sid or etch or sarge doesn't make a difference AFAIK, the tcp/ip stack is still in the kernel.

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-18 17:52 EST
Initiating SYN Stealth Scan at 17:52
Scanning orders.webpower.com (127.0.0.1) [1697 ports]
Completed SYN Stealth Scan at 17:52, 0.09s elapsed (1697 total ports)
Initiating Service scan at 17:52
Warning: OS detection for 127.0.0.1 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against orders.webpower.com (127.0.0.1)
Retrying OS detection (try #2) against orders.webpower.com (127.0.0.1)
Initiating gen1 OS Detection against 127.0.0.1 at 1.800s
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Host orders.webpower.com (127.0.0.1) appears to be up ... good.
All 1697 scanned ports on orders.webpower.com (127.0.0.1) are closed
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint by osscan system #2:
SCAN(V=4.20%D=12/18%OT=%CT=1%CU=39647%PV=N%DS=0%G=N%TM=45871BAE%P=i686-pc-linux-gnu)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%TOS=C0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
IE(R=Y%DFI=N%T=40%TOSI=S%CD=S%SI=S%DLI=S)
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 5.994 seconds
Raw packets sent: 1721 (77.860KB) | Rcvd: 3437 (147.132KB)

Hm where is everyone getting the info they are posting? The above is what I get.

It should be the final output.

Ouch. So it appears that on some boxes it's high, on some boxes it's low. I wander why. nx5000.. did anything special to your box?

Did I change anything? Hummmm good question :-)

First we have the same stock kernel

Running it again I realized that I don't have the latest nmap.

I have this in /etc/sysctl.conf:
This in /etc/systune.conf:
And my iptables rules (automatically generated, not really needed):

Running it again after removing the firewall:

Ahhhh I'm the best 5239359 !!!! ;-)
FreeBSD? :

Upgrading nmap to 4.20-1 (hum should have begun from here)

Uptime: 0.016 days (since Tue Dec 19 11:49:25 2006)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IPID Sequence Generation: All zeros
Service Info: OS: Linux

That's it

Anyway, it says good luck... Did you try to blind-spoof anything?

Not sure what to make of this. Either NMap is reporting badly.. or.. ehh.. no idea what. I noticed one time it said my UpTime was over 150 days and I had the computer up for less than half an hour :-/

I don't have a modif. /etc/systune.conf; nor do I run a firewall. My /etc/sysctl.conf however:

I've commented everything and rebooted, rescanned. Same thing. So this doesn't make a diff.

I looked at the code.
If you get difficulty over or equal 16, its the highest (good luck).

/* Convert a TCP sequence prediction difficulty index like 1264386
into a difficulty string like "Worthy Challenge */
const char *seqidx2difficultystr(unsigned long idx) {
return (idx < 3)? "Trivial joke" : (idx < 6)? "Easy" : (idx < 11)? "Medium" : (idx < 12)? "Formidable" : (idx < 16)? "Worthy challenge" : "Good luck!";
}

And looking deeper in the code, you see that nmap 4 was using seqidx2difficultystr1 while nmap 4.2 uses the above mentionned one.


/* Convert a TCP sequence prediction difficulty index like 1264386
into a difficulty string like "Worthy Challenge */
const char *seqidx2difficultystr1(unsigned long idx) {
return (idx < 10)? "Trivial joke" : (idx < 80)? "Easy" : (idx < 3000)? "Medium" : (idx < 5000)? "Formidable" : (idx < 100000)? "Worthy challenge" : "Good luck!";
}

See the difference in idx scale!

Fedora core 6 uses nmap 4.11 by default (unless repacked)

I don't see any problem but it could be interesting to see an openbsd's result on nmap 4.20

That explains why both versions of NMap say "Good Luck". But what it doesn't explain is why they report diff. TCP sequence prediction difficulty indexes.

..

And..

Fascinating.

UPDATE:
Was looking through the NMAP ChangeLog and found this:

-O1: Only use the old (1st generation) OS detection system

Hum if I run -O1 I get trivial joke

nmap is the joke