On Sun, Mar 21, 1999 at 10:44:01AM +0100, Joachim Baran wrote:
>   On my last journey thru the great unknown world of
> Unices I encountered that NetBSD manages it's TCP
> sequence numbers in a linear way to time.
Really? Which version?

WintelKiller:/usr/rest/home/thilo #nmap -O -p 80 server
[...]
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=149611 (Good luck!)
Remote operating system guess: NetBSD 1.3 - 1.3.3 little endian arch

WintelKiller:/usr/rest/home/thilo #nmap -O -p 80 localhost
[...]
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=4975216 (Good luck!)
Remote operating system guess: NetBSD 1.3I (after 19990119) or 1.3.4

I always thought, nmap can detect time dependig sequence numbers.

>From http://www.insecure.org/nmap/nmap-fingerprinting-article.txt:
TCP ISN Sampling -- The idea here is to find patterns in the initial
    sequence numbers chosen by TCP implementations when responding to
    a connection request.  These can be categorized in to many groups
    such as the traditional 64K (many old UNIX boxes), Random
    increments (newer versions of Solaris, IRIX, FreeBSD, Digital
    UNIX, Cray, and many others), True "random" (Linux 2.0.*, OpenVMS,
    newer AIX, etc).  Windows boxes (and a few others) use a "time
    dependent" model where the ISN is incremented by a small fixed
    amount each time period.  Needless to say, this is almost as
    easily defeated as the old 64K behavior.  Of course my favorite
    technique is "constant".  The machines ALWAYS use the exact same
    ISN :).  I've seen this on some 3Com hubs (uses 0x803) and Apple
    LaserWriter printers (uses 0xC7001).

Bye,
  Thilo.
-- 
Dies ist Thilos Unix Signature! Viel Spass damit.