|
14 | 14 | * Hosts with randomized timestamps are protected from such attacks, while others |
15 | 15 | * may expose detailed system uptime and time information that attackers can use in |
16 | 16 | * subsequent attacks. Attack scenarios could include hosts that use system time to seed |
17 | | - * random generators to generate passwords as an example. |
| 17 | + * random generators to generate passwords as an example, testing when a system rebooted |
| 18 | + * to understand maintenance cycles, automated patching, testing if a kernel panic DoS |
| 19 | + * was successful and lastly fingerprinting with systems exposed behind NAT. |
18 | 20 | * |
19 | 21 | * The tool sends TCP SYN packets with timestamp options to target hosts and |
20 | 22 | * analyzes the returned timestamp values to determine: |
|
40 | 42 | * Environment Variables: |
41 | 43 | * DEBUG=1 Enable packet-level hex dump tracing |
42 | 44 | * |
| 45 | + * Linux Kernel TIMECRIME attack |
| 46 | + * ============================= |
| 47 | + * Linux sysctl can be 0 - disable, 1 - randomized, 2 - insecure. |
| 48 | + * e.g. "sudo sysctl -w net.ipv4.tcp_timestamps=2" to test PoC. |
| 49 | + * |
| 50 | + * We have noticed that on some Linux distributions net.ipv4.tcp_timestamps=1 |
| 51 | + * (the "randomized" default) DOES NOT RANDOMIZE PER-CONNECTION on real kernels. |
| 52 | + * Tested on DigitalOcean using kernel 6.12.48, Debian 13, 2025-11-07. Identical |
| 53 | + * monotonic 1000 Hz curve is seen with both 1 or 2 set. RFC 7323 §3.2 requires |
| 54 | + * per-connection jitter — Linux appears to ignore it. |
| 55 | + * |
| 56 | + * Impact: Any Internet-facing Linux box leaks exact boot time and OS fingerprint to |
| 57 | + * an unauthenticated attacker despite intending to randomize the data. |
| 58 | + * CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |
| 59 | + * |
43 | 60 | * Author: hackerfantastic |
44 | 61 | * Website: https://hacker.house/ |
45 | 62 | * |
|
0 commit comments