Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Exploiting sequence number predictability

Re: [PEN-TEST] Exploiting sequence number predictability

From: Riley Hassell <riley_at_WEB0.SPEAKEASY.NET>
Date: Fri, 18 Aug 2000 20:50:43 -0700

Check out ADMrsh. ;)

  Riley Hassell
  Network Security
  Speakeasy Networks
  Phone : 206-728-9770x151
  Email : riley_at_speakeasy.net

On Fri, 18 Aug 2000, Dawes, Rogan wrote:

> Hi folks,
>
> I was wondering if anyone knew of any tools for exploiting predictable
> initial sequence numbers? I understand the concept, and always see tools
> like nmap reporting on the quality of the ISN. But I am wondering how
> serious the vulnerability really is. How easy is it to actually exploit the
> weak ISN's?
>
> I've also used tools like hunt, for session hijacking, but that presupposes
> knowlege of the sequence numbers on the network, and doesn't really exploit
> the predictability aspect.
>
> Are there any tools around that exploit this, or are they mostly limited to
> custom tools written for a specific situation? What level of skill is
> required to exploit a TCPWrappered telnet daemon, for example, assuming I
> know the username and password, and the exact banner and prompts?
>
> I imagine it is a case of:
> 1. determine the predictability algorithm (64k rule, or whatever)
> 2. Craft the packets required to execute the commands desired with the IP
> address of a permitted workstation.
> (packet 1 : SYN
> packet 2 : ACK xxxxx/username^M
> packet 3 : ACK xxxxy/password^M
> packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >>
> /etc/hosts.allow; exit^M, or whatever)
> where xxxxx-xxxxz are determined by the ISN, the number of bytes in the
> banner and login prompt, password prompt, and welcome banner/motd)
>
> (I can see why the R services are an easier target, cos you avoid all the
> variables in the login sequence, and can include your credentials and issue
> your command in the (same) second packet sent, I think)
>
> 3. Check where the target machine is in its sequence numbers by making a
> legit connection to, say echo, or whatever.
> 4. spam out a flood of packets that cover the range of ISN's based on the
> time between the target machine answering the legit connection, and your
> crafted packet arriving at the target.
>
> Is this how it works?
>
> Thanks.
>
> Sincerely,
>
> Rogan
> --
> In God we Trust -- all others must submit an X.509 certificate.
> -- Charles Forsythe <forsythe_at_alum.mit.edu>
> --
> Rogan Dawes
> Deloitte & Touche
> Enterprise Risk Services
> Network & System Quality
>
> Tel: +27 11 806 6216
> Fax: +27 11 806 5202
> Cell: +27 82 784 9498
> Email: rdawes_at_deloitte.co.za
> --
> NOTE: This e-mail message and its attachments is subject to the
> disclaimers as published at:
> http://www.deloitte.co.za/disc.htm#emaildisc
>
>
Received on Aug 21 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos