Re: nmap and predictable ISN's or SN's

[Denis Ducamp <Denis.Ducamp () hsc fr>]

On Tue, Nov 06, 2001 at 11:23:43AM +0100, Ralf Hildebrandt wrote:
> Hi!

Hi,

> Today I was looking at
> http://razor.bindview.com/publish/papers/tcpseq.html

a great paper :)

> and asked myself if nmap could be used to gather this data during a scan.

the -Q option from hping http://www.hping.org/ is certainly what you need :

# ./hping2 -S -p 80 -c 10 -Q www
HPING www (eth0 192.168.1.25): S set, 40 headers + 0 data bytes
1048123854 +1048123854
1983594997 +935471143
1361981332 +3673353630
 433528998 +3366514961
 727732780 +294203782
 959329434 +231596654
1885473328 +926143894
 235633102 +2645127069
 965566788 +729933686
1781858662 +816291874

--- www hping statistic ---
10 packets tramitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 81.9/107.2/140.3 ms

> From the HPING2(8) page :

       -Q --seqnum
              This  option  can  be  used  in  order  to  collect
              sequence numbers generated by target host. This can
              be  useful  when  you  need  to analyze whether TCP
              sequence number is predictable. Output example:
[...]
              The first column reports the sequence  number,  the
              second difference between current and last sequence
              number. As you can see target host's sequence  num­
              bers are predictable.

> To analyse it using gnuplot is fairly easy then.

Denis Ducamp.

-- 
 Denis.Ducamp () hsc fr --- Hervé Schauer Consultants --- http://www.hsc.fr/
 Owl/Openwall/snort/hping/dsniff en français   http://www.groar.org/trad/
            Owl en français    http://www.openwall.com/Owl/fr/
 Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).