Home > CAPEC List > CAPEC-322: TCP (ISN) Greatest Common Divisor Probe (Version 2.9)  

CAPEC-322: TCP (ISN) Greatest Common Divisor Probe

TCP (ISN) Greatest Common Divisor Probe
Definition in a New Window Definition in a New Window
Attack Pattern ID: 322
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities


Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: TCP
Protocol Header 1
Protocol Field NameProtocol Field DescriptionProtocol Data
Sequence Number
The sequence number of the first data octet in a segment (except when a SYN flag is present). If SYN is present the sequence number is the initial sequence number (ISN) of the connection and the first data octet is ISN+1. The sequence number consists of 32 bits.
For purposes of Sequence number analysis the data portion of the packet is either empty or ignored.
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
+ Typical Severity


+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
"Varies by context"
Bypass protection mechanism
Hide activities
+ References
[R.322.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.
[R.322.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.322.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Chapter 8. Remote OS Detection. 3rd "Zero Day" Edition,. Insecure.com LLC. 2008.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015