Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Exploiting sequence number predictability

Re: [PEN-TEST] Exploiting sequence number predictability

From: Pedro Quintanilha <quinta_at_CERTBR.COM.BR>
Date: Tue, 22 Aug 2000 23:11:23 -0300

Another easy to implement exploit is to send SPAM trough a SMTP server
that doesn't permit relay only by the source IP... again, it's easy only
if the target server is Windoze, thanks for the M$ lack of vision about
TCP sequence number prediction.

As SMTP protocol is very simple, it's so simple to exploit in this way.

[]'s

Pedro Quintanilha
quinta_at_certbr.com.br

Jean-Simon Durand wrote:
>
> sirc3 does something very close to that.
>
> It is a very old technique (2-3 years old at least) and it is rarely used
> today (I think) because the sequence numbers on most of the unix systems are
> unpredictable. Most windows system are still vulnerable.
>
> sirc was made with irc in mind but if I remember correctly, it works with
> the telnet daemon. It tries to guess the sequence numbers to establish a tcp
> connection with any source IP address.
>
> I attached (uuencoded) a copy of the source code for sirc3. I played with it
> a very long time ago so I'm not even sure if it needs modification to
> compile. If I remember correctly, it's for Linux but it can certainly be
> ported to other OS's.
>
> Have fun!
>
> Jean-Simon Durand
> Montreal, Quebec, Canada
>
> ----- Original Message -----
> From: "Dawes, Rogan" <rdawes_at_DELOITTE.CO.ZA>
> To: <PEN-TEST_at_SECURITYFOCUS.COM>
> Sent: Friday, August 18, 2000 8:37 AM
> Subject: [PEN-TEST] Exploiting sequence number predictability
>
> [snip]
>
> > I imagine it is a case of:
> > 1. determine the predictability algorithm (64k rule, or whatever)
> > 2. Craft the packets required to execute the commands desired with the IP
> > address of a permitted workstation.
> > (packet 1 : SYN
> > packet 2 : ACK xxxxx/username^M
> > packet 3 : ACK xxxxy/password^M
> > packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >>
> > /etc/hosts.allow; exit^M, or whatever)
> > where xxxxx-xxxxz are determined by the ISN, the number of bytes in the
> > banner and login prompt, password prompt, and welcome banner/motd)
>
> ------------------------------------------------------------------------
> Name: sirc3.tar.gz.uu
> sirc3.tar.gz.uu Type: application/x-compressed
> Encoding: quoted-printable
Received on Aug 23 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos