Better yet. ISNprober by Tom Vandepoel.
# isnprober -c www:80 www2:443
-- ISNprober / 1.01 / Tom Vandepoel (Tom.Vandepoel_at_ubizen.com) --
Using eth0:z.z.z.z
Probing host: www on TCP port 80.
Probing host: www2 on TCP port 443.
Host:port ISN Delta
www3:80 1832271647
www2:443 1833423850 1152203
www:80 1833668032 244182
www2:443 1834155463 487431
www:80 1834484097 328634
www2:443 1835762782 1278685
www:80 [+] <> www2:443 [+] == [+]
Cheers
Fernando
--
Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A.
Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6
Fax : +351 21 7994242 1700-036 Lisboa - Portugal
email : fernando.cardoso@whatevernet.com http://www.whatevernet.com/
> -----Original Message-----
> From: Denis Ducamp [mailto:Denis.Ducamp_at_hsc.fr]
> Sent: terça-feira, 6 de Novembro de 2001 10:45
> To: nmap-dev_at_insecure.org
> Subject: Re: nmap and predictable ISN's or SN's
>
>
> On Tue, Nov 06, 2001 at 11:23:43AM +0100, Ralf Hildebrandt wrote:
> > Hi!
>
> Hi,
>
> > Today I was looking at
> > http://razor.bindview.com/publish/papers/tcpseq.html
>
> a great paper :)
>
> > and asked myself if nmap could be used to gather this data
> during a scan.
>
> the -Q option from hping http://www.hping.org/ is certainly what
> you need :
>
> # ./hping2 -S -p 80 -c 10 -Q www
> HPING www (eth0 192.168.1.25): S set, 40 headers + 0 data bytes
> 1048123854 +1048123854
> 1983594997 +935471143
> 1361981332 +3673353630
> 433528998 +3366514961
> 727732780 +294203782
> 959329434 +231596654
> 1885473328 +926143894
> 235633102 +2645127069
> 965566788 +729933686
> 1781858662 +816291874
>
> --- www hping statistic ---
> 10 packets tramitted, 10 packets received, 0% packet loss
> round-trip min/avg/max = 81.9/107.2/140.3 ms
>
> From the HPING2(8) page :
>
> -Q --seqnum
> This option can be used in order to collect
> sequence numbers generated by target host. This can
> be useful when you need to analyze whether TCP
> sequence number is predictable. Output example:
> [...]
> The first column reports the sequence number, the
> second difference between current and last sequence
> number. As you can see target host's sequence num
> bers are predictable.
>
> > To analyse it using gnuplot is fairly easy then.
>
> Denis Ducamp.
>
> --
> Denis.Ducamp@hsc.fr --- Hervé Schauer Consultants --- http://www.hsc.fr/
> Owl/Openwall/snort/hping/dsniff en français http://www.groar.org/trad/
> Owl en français http://www.openwall.com/Owl/fr/
> Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html
>
> ---------------------------------------------------------------------
> For help using this (nmap-dev) mailing list, send a blank email to
> nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
>
>
>
_____________________________________________________________________
INTERNET MAIL FOOTER
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Nov 06 2001
Intro
