Re: [PEN-TEST] Exploiting sequence number predictability

[Jean-Simon Durand <bugtraq () SUPERNET CA>]

sirc3 does something very close to that.

It is a very old technique (2-3 years old at least) and it is rarely used
today (I think) because the sequence numbers on most of the unix systems are
unpredictable. Most windows system are still vulnerable.

sirc was made with irc in mind but if I remember correctly, it works with
the telnet daemon. It tries to guess the sequence numbers to establish a tcp
connection with any source IP address.

I attached (uuencoded) a copy of the source code for sirc3. I played with it
a very long time ago so I'm not even sure if it needs modification to
compile. If I remember correctly, it's for Linux but it can certainly be
ported to other OS's.

Have fun!

Jean-Simon Durand
Montreal, Quebec, Canada


----- Original Message -----
From: "Dawes, Rogan" <rdawes () DELOITTE CO ZA>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, August 18, 2000 8:37 AM
Subject: [PEN-TEST] Exploiting sequence number predictability

[snip]

> I imagine it is a case of:
> 1. determine the predictability algorithm (64k rule, or whatever)
> 2. Craft the packets required to execute the commands desired with the IP
> address of a permitted workstation.
> (packet 1 : SYN
>  packet 2 : ACK xxxxx/username^M
>  packet 3 : ACK xxxxy/password^M
>  packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >>
> /etc/hosts.allow; exit^M, or whatever)
>  where xxxxx-xxxxz are determined by the ISN, the number of bytes in the
> banner and login prompt, password prompt, and welcome banner/motd)

Attachment: sirc3.tar.gz.uu
Description: