TCP Options Probe
Attack Pattern ID: 327 (Detailed Attack Pattern)Typical Severity: LowStatus: Draft
+ Description

Summary

This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use unique ordering and different option sets when options are present. RFC 793 does not specify a required order when options are present, so different implementations use unique ways of ordering or structuring TCP options. TCP options can be generated by ordinary TCP traffic.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: TCP
Protocol Header 1: TCP Header
Protocol Field NameProtocol Field Description
Options Field
The Options Field allows a TCP segment to specify specific requirements for its routing or may contain information such as a timestamp. Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length. All options are included in the checksum.
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern315TCP/IP Fingerprinting Probes 
Mechanism of Attack (primary)1000
+ References
Stuart McClure, Joel Scambray, George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Defense Advanced Research Projects Agency (DARPA). "RFC793 - Transmission Control Protocol". 1981. <http://www.faqs.org/rfcs/rfc793.html>.
Gordon "Fyordor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". 3rd "Zero Day" Edition, . Insecure.com LLC, ISBN:978-0-9799587-1-7. 2008.