Penetration Testing mailing list archives

RE: Auditing boxes with predictable IP Sqeuence(s)

From: "Toni Heinonen" <Toni.Heinonen () teleware fi>
Date: Wed, 27 Feb 2002 22:06:13 +0200

Since nmap recognizes a lot of routers and switches it is 
probably or an 
exotic router, a vpn or a printer. (I recently came up at a 
bunch of HP 
printers not recognized by nmap...) But I'm not aware of canned 
scripts/exploits to exploit TCP sequence numbers 
vulnerability but I don't 
think it would be of much resort for you apart if there are 
servers denying 
service to external networks...

Active OS rarely works if there aren't any open tcp or udp ports, as the original poster referred there wasn't. There
are tools such as hunt that exploit weak serial numbers so you can hijack TCP connections, but I don't believe you'll
be having a lot of connections to or from switches or routers. The only connections usually made into these devices are
management connections. I think in this particular case they manage their network devices from a serial console instead
of telnet or ssh, because telnet or ssh wasn't open.

Then again, since NMAP can't gather good hard data from the boxes as it doesn't find open TCP ports, it reports a
different level of TCP sequence number randomness than that actually encountered in real life TCP connections.

So simply put they're hardened network devices such as switches or routers that really won't be having security holes
since they aren't offering any services. At best you can do denial of service against these devices, if there's a bug
in the TCP/IP-implementation.

TONI HEINONEN, CISSP
TELEWARE OY
Telephone +358 (9) 3434 9123 * Fax +358 (9) 3431 321
Wireless +358 40 836 1815
Kauppakartanonkatu 7, 00930 Helsinki
toni.heinonen () teleware fi * www.teleware.fi

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Auditing boxes with predictable IP Sqeuence(s) Ralph Los (Feb 25)
- <Possible follow-ups>
- RE: Auditing boxes with predictable IP Sqeuence(s) Aleksander P. Czarnowski (Feb 26)
- RE: Auditing boxes with predictable IP Sqeuence(s) Reidy, Patrick (Feb 26)
- Re: Auditing boxes with predictable IP Sqeuence(s) The Blueberry (Feb 27)
- RE: Auditing boxes with predictable IP Sqeuence(s) Toni Heinonen (Feb 28)