|4. How NMap deals with the time service|
|I am very privileged in that I am the person that deals with the NMap service fingerprint submissions. This has forced me to dive into the guts of, literally, thousands and thousands of different services, network protocols, and server implementations that I otherwise would not have looked into.|
One of my goals for this blog is to try to write about interesting observations and discoveries I've made while doing this. I wish I'd started earlier because I have seen many fascinating, unusual things that I'd love to share with you all!
A quick one for now: the time protocol as defined by RFC 868. It turns out that the time protocol uses a different epoch than does standard unix time. Instead of "the beginning of time" being Jan 1st 1970, the time protocol uses Jan 1st 1900! Well this is all well and good, but NMap service scan (I'll just call it -sV from now on) matching this can be problematic. Do we match all probes that return exactly 4 bytes of data? We could, but imagine all the false positives we'd have!
I started seeing submissions for this service because when the probes file was originally created, it was set to only match times before 2004 or so. I had to bust out the calculator to determine unix->time offset to be 2208988800 (unix's jan 1st 1970 according to RFC 868) so I could update the values. Nmap should match this service correctly until the end of 2k8 when another update will be required.
I anticipate seeing submissions for this service running on hosts with misconfigured clocks for some time to come but there's not really anything I can do about this! Anyways, here's what I've put in the probes file:
# This will match systems with clocks set between the # following 2 dates: # 0xC4000000 = Mon, 15 Mar 2004 10:12:16 GMT # 0xCCFFFFFF = Sat, 27 Dec 2008 01:14:39 GMT # Also needs updating in the UDP Help probe (search for TIME) # TIME match time m|^[\xc4-\xcc]...$| i/32 bits/ match time m|^[\xc4-\xcc]....\0\0\0$| i/64 bits/
By the way, if you're interested in times and dates, Fourmilab has a fascinating page on all sorts of different date/time formats.