[ntp:questions] Re: Fingerprinting hosts by clock skew

John Pettitt jpp at cloudview.com
Thu Mar 10 06:15:02 UTC 2005

mayer at gis.net wrote:
> ----- Original Message Follows -----
>>At 4:52 PM -0500 2005-03-09, mayer at gis.net wrote:
>>> It's not worth bothering with all this. I've seen code that use two
>>> or three ICMP messages to fingerprint your system and tell exactly
>>> what you're running for O/S and hardware. You don't even need to
>>> worry about the clock. It can tell just be looking at how it
>>handles the message.
>>    I know about nmap, and I have some idea of how it works.  One 
>>problem is that a lot of places block ICMP, and many host-level 
>>firewalling implementations will do the same.  Operating systems like 
>>OpenBSD will randomize certain aspects of any response packets that 
>>do get sent back, and the result will be a machine that will be 
>>difficult or impossible to determine what they're running.
> This technique has nothing to do with nmap. It's something else
> entirely.
> Unfortunately I don't remember any of the details.
> Danny

It's not about fingerprinting operating systems - it's about
fingerprinting specific machines but their clock skew - ntp would
render the technique unworkable except that the clock used by the tcp
stack is not the kernel clock that's disciplined by ntp.

It's an interesting technique that should be relatively easy to defeat
if the people maintaining the TCP stack choose to do so (either by
introducing some random jitter or by using an ntp disciplined clock or


More information about the questions mailing list