This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches.
Target Attack Surface
Target Attack Surface Description
Targeted OSI Layers:
Transport Layer
Target Attack Surface Localities
Server-side
Target Attack Surface Types:
Host
Target Functional Services
Target Functional Service 1: None
Protocol 1: TCP
Protocol Header 1
Protocol Field Name
Protocol Field Description
Protocol Data
Sequence Number
The sequence number of the first data octet in a segment (except when a SYN flag is present). If SYN is present the sequence number is the initial sequence number (ISN) of the connection and the first data octet is ISN+1. The sequence number consists of 32 bits.
For purposes of Sequence number analysis the data portion of the packet is either empty or ignored.
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Attack Prerequisites
The ability to monitor and interact with network communications.
Access to at least one host, and the privileges to interface with the network interface card.
Typical Severity
Low
Typical Likelihood of Exploit
Likelihood: Medium
Resources Required
Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.
A tool capable of sending and receiving packets from a remote system.
[R.323.1] [REF-20] Stuart McClure, Joel Scambray
and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.
[R.323.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and
Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.323.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Chapter 8. Remote OS Detection. 3rd "Zero Day" Edition,. Insecure.com LLC. 2008.
More information is available — Please select a different filter.
Page Last Updated or Reviewed:
August 04, 2017
Use of the Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy, and the associated references from this website, are subject to the
Terms of Use. For more information, please email
capec@mitre.org.