tcp timestamp attack nach rfc1323
Mit verschiedenen Werkzeugen ist es möglich über die in RFC 1323 Section 3.2 Spezifizierte Option die Uptime eines Rechners zu ermitteln. Der Theorie nach soll man so Angriffe gegen ungepachte Kernel / Sicherheitsupdates fahren können.
Hier ein nmap Beispiel:
sudo nmap -O -v 10.0.0.1
Starting Nmap 6.25 ( http://nmap.org ) at 2013-10-17 22:21 CEST
Initiating ARP Ping Scan at 22:21
Scanning 10.0.0.1 [1 port]
Completed ARP Ping Scan at 22:21, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:21
Completed Parallel DNS resolution of 1 host. at 22:21, 0.05s elapsed
Initiating SYN Stealth Scan at 22:21
Scanning 10.0.0.1 [1000 ports]
Discovered open port 22/tcp on 10.0.0.1
Completed SYN Stealth Scan at 22:21, 0.17s elapsed (1000 total ports)
Initiating OS detection (try #1) against 10.0.0.1
Nmap scan report for 10.0.0.1
Host is up (0.0011s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: B8:27:EB:00:00:00 (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.6
Uptime guess: 17.048 days (since Mon Sep 30 21:12:28 2013)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/local/bin/../share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.00 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.282KB)
Die „Schätzung“ von nmap von 17.048 Tagen liegt mit der Tatsächlichen Uptime 17 days, 1:14 gut überein.
Um dies nun zu Unterbinden kann eine der beiden Möglichkeiten gewählt werden:
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
sysctl net.ipv4.tcp_timestamps=0
oder direkt in der /etc/sysctl.conf eingetragen werden:
net.ipv4.tcp_timestamps=0
Dann bekommt nmap keine sinnvollen antworten mehr:
sudo nmap -O -v 10.0.0.1
Starting Nmap 6.25 ( http://nmap.org ) at 2013-10-17 22:25 CEST
Initiating ARP Ping Scan at 22:25
Scanning 10.0.0.1 [1 port]
Completed ARP Ping Scan at 22:25, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:25
Completed Parallel DNS resolution of 1 host. at 22:25, 0.03s elapsed
Initiating SYN Stealth Scan at 22:25
Scanning 10.0.0.1 [1000 ports]
Discovered open port 22/tcp on 10.0.0.1
Completed SYN Stealth Scan at 22:25, 0.16s elapsed (1000 total ports)
Initiating OS detection (try #1) against 10.0.0.1
Retrying OS detection (try #2) against 10.0.0.1
Retrying OS detection (try #3) against 10.0.0.1
Retrying OS detection (try #4) against 10.0.0.1
Retrying OS detection (try #5) against 10.0.0.1
Nmap scan report for 10.0.0.1
Host is up (0.00061s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: B8:27:EB:00:00:00 (Raspberry Pi Foundation)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.25%E=4%D=10/17%OT=22%CT=1%CU=43776%PV=Y%DS=1%DC=D%G=Y%M=B827EB%
OS:TM=526047B0%P=x86_64-unknown-linux-gnu)SEQ(SP=106%GCD=1%ISR=10E%TI=Z%CI=
OS:Z%II=I%TS=U)OPS(O1=M5B4NNSNW6%O2=M5B4NNSNW6%O3=M5B4NW6%O4=M5B4NNSNW6%O5=
OS:M5B4NNSNW6%O6=M5B4NNS)WIN(W1=3908%W2=3908%W3=3908%W4=3908%W5=3908%W6=390
OS:8)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%
OS:A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%
OS:DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=
OS:40%CD=S)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/local/bin/../share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.19 seconds
Raw packets sent: 1111 (52.918KB) | Rcvd: 1071 (46.022KB)