Re: Getting a Machines Uptime Remotely

From: Pete Herzog (lists@isecom.org)
Date: Fri Feb 03 2006 - 05:56:13 EST

• Next message: Carl-Johan Bostorp: "Re: Oracle hash rainbowtables"
• Previous message: Erin Carroll: "Mailing list irregularities"
• In reply to: Holstein, Robert - BLS CTR: "RE: Getting a Machines Uptime Remotely"
• Next in thread: Erik Kamerling: "Re: Getting a Machines Uptime Remotely"
• Reply: Erik Kamerling: "Re: Getting a Machines Uptime Remotely"
• Reply: Bojan Zdrnja: "Re: Getting a Machines Uptime Remotely"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

The UPTIME is from the Timestamp of a TCP packet. If you know the OS
you can figure out the uptime from the number of milliseconds in the
timestamp.

Windows, however, does not provide timestamp information in TCP and
rarely in the timestamp option of ICMP (nmap can request this as -PP).

As others said before, SNMP, NNTP, and RPC are options. Other services
may also give you local time (often times in GMT though) that will let
you know its time but not its uptime. Therefore, you will have to do a
little deductive work to narrow in. For example, if automatic
Windowsupdate is used then you can look correspond patches with release
dates knowing that often a reboot is performed after the patch is
applied. Windows update may not be automatic which means you need to
know an update schedule or maybe it's not updated at all ever which
means you really can't use that as a guage.

But if you just need to settle a bet, there's always a few tricks to
BSOD the system and then you make your own UPTIME calculation ;) Just
kidding.

There may be other tricks but you'll have to google for it. AFAIK,
without researching for you, there are easy ways to get the local time
but not the uptime.

Sincerely,
-pete.

www.isestorm.org

Holstein, Robert - BLS CTR wrote:
> I should have mentioned this in the first communiqué. I don't have any privileges on any of the remote workstations to authenticate a remote connection with so RPC queries usually don't work. If someone knows a way to coax something from an RPC call im all ears. Having no credentials to pass also eliminates psinfo, systeminfo, uptime or many of the other well know windows based tools.
>
> SNMP is supposedly completely disabled on these workstations so I don't know if trying to query an OID remotely would be worth the time. It's worth a try though. That's one of the reasons I looked to NMAP. I know it calculates uptime from the TCP timestamp for Linux OS. I suspect it can do the same for windows, but I don't know how to go about it.
>
>
> -----Original Message-----
> From: Steve Friedl [mailto:steve@unixwiz.net]
> Sent: Thursday, February 02, 2006 2:21 PM
> To: Holstein, Robert - BLS CTR
> Cc: pen-test@securityfocus.com
> Subject: Re: Getting a Machines Uptime Remotely
>
> On Wed, Feb 01, 2006 at 10:18:06AM -0500, Holstein, Robert - BLS CTR wrote:
>> I'm trying to figure out how to get the uptime of a Win* machine
>> remotely using NMAP. Stealth is not a concern. I've done it with
>> *nix based OS'es before using NMAP but never Windows. Can anyone offer
>> some advice on how to do this using NMAP. I've tried a couple
>> different things with no results.
>
> There are two ways I can think of to get the uptime remotely, though neither with nmap.
>
> 1) via SNMP: the sysUpTime.0 OID is the number of 100ths of a second since
> boot. This has a 497-day limit before the 32-bit counter wraps around,
> but if it's a Windows machine I doubt you'll run into that ;-)
>
> 2) I'm sure there's an RPC type query which returns this information, but
> it surely requires a network credential.
>
> Steve
>
> ---
> Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
> www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@unixwiz.net
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Carl-Johan Bostorp: "Re: Oracle hash rainbowtables"
• Previous message: Erin Carroll: "Mailing list irregularities"
• In reply to: Holstein, Robert - BLS CTR: "RE: Getting a Machines Uptime Remotely"
• Next in thread: Erik Kamerling: "Re: Getting a Machines Uptime Remotely"
• Reply: Erik Kamerling: "Re: Getting a Machines Uptime Remotely"
• Reply: Bojan Zdrnja: "Re: Getting a Machines Uptime Remotely"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:26 EDT