Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Exploiting sequence number predictability

Re: [PEN-TEST] Exploiting sequence number predictability

From: Haroon Meer <meer2_at_NU.AC.ZA>
Date: Tue, 22 Aug 2000 10:05:18 +0200

Hi..

Try...
http://packetstorm.securify.com/docs/infosec/sequence_attacks.txt
and
http://www.s0d.org/books/www.bitpunk.com/ipext.pdf

Both give comprehensive detail on TCP Sequence attacks, and how / y they wrk.

Haroon Meer
+27 83 786 6637
Meer2_at_nu.ac.za
 
It took the computing power of three C-64s to fly us to the Moon.
It takes a Pentium to run Windows 95. Something's not right here...

>>> simon_at_SNOSOFT.COM 08/21/00 04:20AM >>>
I am interested in learning more about this subject. I know nothing about
it and feel that I need to. Does anyone have any documents that will
explain this to me from ground 0?

At 02:37 PM 8/18/2000 +0200, you wrote:
>Hi folks,
>
>I was wondering if anyone knew of any tools for exploiting predictable
>initial sequence numbers? I understand the concept, and always see tools
>like nmap reporting on the quality of the ISN. But I am wondering how
>serious the vulnerability really is. How easy is it to actually exploit the
>weak ISN's?
>
>I've also used tools like hunt, for session hijacking, but that presupposes
>knowlege of the sequence numbers on the network, and doesn't really exploit
>the predictability aspect.
>
>Are there any tools around that exploit this, or are they mostly limited to
>custom tools written for a specific situation? What level of skill is
>required to exploit a TCPWrappered telnet daemon, for example, assuming I
>know the username and password, and the exact banner and prompts?
>
>I imagine it is a case of:
>1. determine the predictability algorithm (64k rule, or whatever)
>2. Craft the packets required to execute the commands desired with the IP
>address of a permitted workstation.
>(packet 1 : SYN
> packet 2 : ACK xxxxx/username^M
> packet 3 : ACK xxxxy/password^M
> packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >>
>/etc/hosts.allow; exit^M, or whatever)
> where xxxxx-xxxxz are determined by the ISN, the number of bytes in the
>banner and login prompt, password prompt, and welcome banner/motd)
>
>(I can see why the R services are an easier target, cos you avoid all the
>variables in the login sequence, and can include your credentials and issue
>your command in the (same) second packet sent, I think)
>
>3. Check where the target machine is in its sequence numbers by making a
>legit connection to, say echo, or whatever.
>4. spam out a flood of packets that cover the range of ISN's based on the
>time between the target machine answering the legit connection, and your
>crafted packet arriving at the target.
>
>Is this how it works?
>
>Thanks.
>
>Sincerely,
>
>Rogan
>--
>In God we Trust -- all others must submit an X.509 certificate.
> -- Charles Forsythe <forsythe_at_alum.mit.edu>
>--
>Rogan Dawes
>Deloitte & Touche
>Enterprise Risk Services
>Network & System Quality
>
>Tel: +27 11 806 6216
>Fax: +27 11 806 5202
>Cell: +27 82 784 9498
>Email: rdawes_at_deloitte.co.za
>--
>NOTE: This e-mail message and its attachments is subject to the
> disclaimers as published at:
> http://www.deloitte.co.za/disc.htm#emaildisc
Received on Aug 23 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos