From: Bojan Zdrnja (bojan.zdrnja@gmail.com)
Date: Sun Feb 05 2006 - 17:42:05 EST
Hi Pete,
On 2/3/06, Pete Herzog <lists@isecom.org> wrote:
> Hi,
>
> The UPTIME is from the Timestamp of a TCP packet. If you know the OS
> you can figure out the uptime from the number of milliseconds in the
> timestamp.
>
> Windows, however, does not provide timestamp information in TCP and
> rarely in the timestamp option of ICMP (nmap can request this as -PP).
Windows will provide TCP timestamp information, but only after the
three-way handshake has been established and a packet has been sent to
the remote machine (when it replies, it will set the TCP timestamp
option).
Now, I've seen conflicting reports of what this number is set to. Some
reports said that it's a random number, some reports say it's set to 0
when the system reboots. Also, different reports mention different
resolution (some say it's number of ticks in 100 ms).
I just tested this on my laptop (Windows XP SP2), by issuing a
connection to port 135 (firewall is turned off for the test).
In one window, on a remote machine, I just setup tcpdump with filter
for packets coming from 192.168.0.2 (my laptop), with the A flag on
(remember, Windows will not send anything during the three way
handshake):
$ tcpdump -nn 'src host 192.168.0.2 and tcp port 135 and (tcp[13] = 0x10)'
In the other window just telnet to 192.168.0.2 port 135. After the
connection is established, enter any bogus data:
$ telnet 192.168.0.2 135
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
asd
^]
telnet> q
Connection closed.
Tcpdump will capture a packet:
11:37:08.648979 IP 192.168.0.2.135 > 192.168.0.200.53756: . ack
3451813541 win 65530 <nop,nop,timestamp 58376 627862633>
First timestamp is generated by the Windows machine. 58376 looks to me
like a clock with 10ms resolution. This would make machine uptime of
97.29 minutes, which is 1 hour and 37 minutes.
Uptime.exe on my Windows machine says:
D:\>uptime.exe
\\LAPTOP has been up for: 0 day(s), 1 hour(s), 41 minute(s), 12 second(s)
I would be curious if people can test this on other machines so we can
determine if this can be used to calculate remote uptime on Windows
machines (I have only one Windows machine at home).
Cheers,
Bojan
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT