Home > CAPEC List > CAPEC-323: TCP (ISN) Counter Rate Probe (Version 2.11)  

CAPEC-323: TCP (ISN) Counter Rate Probe

TCP (ISN) Counter Rate Probe
Definition in a New Window Definition in a New Window
Attack Pattern ID: 323
Abstraction: Detailed
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities


Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: TCP
Protocol Header 1
Protocol Field NameProtocol Field DescriptionProtocol Data
Sequence Number
The sequence number of the first data octet in a segment (except when a SYN flag is present). If SYN is present the sequence number is the initial sequence number (ISN) of the connection and the first data octet is ISN+1. The sequence number consists of 32 bits.
For purposes of Sequence number analysis the data portion of the packet is either empty or ignored.
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites
  • The ability to monitor and interact with network communications.

    Access to at least one host, and the privileges to interface with the network interface card.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Medium

+ Resources Required

Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.

A tool capable of sending and receiving packets from a remote system.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
Bypass protection mechanism
Hide activities
+ References
[R.323.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.
[R.323.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.323.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Chapter 8. Remote OS Detection. 3rd "Zero Day" Edition,. Insecure.com LLC. 2008.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_ExploitInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017