At 16:20 +0100 24/9/2004, Martin O'Neal wrote: > > This is a plugin I had wanted to write for a long time... > > Likewise! > > > (a) Some Cisco products seem to set the top bit in the first byte... > > Any ideas which ones? The specs don't seem to require the TIMESTAMP > field to be in any particular order, so some are little-endian and some > big-endian. Is this a variation on the theme? It seems to be some (but not all) routers. This is from a modified version of the icmp_timestamp.nasl As you can see, the response is little-endian, but with x80 set on the first byte. $ nasl icmp_timestamp.nasl -t xxx.xxx.xxx.xxx The remote host answers to an ICMP timestamp request. This allows an attacker to know the time that is set on your machine. This may help him to defeat all your time based authentication protocols. The remote system is probably a Cisco router. The current time on the remote system is: 0x8050d341 = 5296961 ticks = 1:28:16.961 Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : Low $ nasl icmp_timestamp.nasl -t xxx.xxx.xxx.xxx The remote host answers to an ICMP timestamp request. This allows an attacker to know the time that is set on your machine. This may help him to defeat all your time based authentication protocols. The remote system is probably a Cisco router. The current time on the remote system is: 0x805147dd = 5326813 ticks = 1:28:46.813 Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : Low $ > > (b) Could the actual time of day (local and remote).... > > Not a problem for UTC, however local time would end up being a sandwich > (no mayonnaise). > > > (c) In other areas, scripts only check one thing. > > Agreed! > > > (d) The HTTP test may need to test both 80 and 443... > > Doesn't the script already cover this through the call to > get_http_port()? Yes. I didn't want anyone to get fixed with the idea of _the_ web server. I have seen different timestamps for the web servers on ports 80 and 443 on a single IP address. _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Sat Sep 25 2004 - 09:53:32 PDT