Penetration Testing mailing list archives

RE: Auditing boxes with predictable IP Sqeuence(s)

From: "Reidy, Patrick" <Patrick.Reidy () veritect com>
Date: Mon, 25 Feb 2002 18:52:45 -0500

TCP predictability has a few well known possibilities for exploit, not the
least of which is packet injection / hijacking.  There are a boat load of
tools out there, but I personally like Hunt.  The tool only works if you are
local and can actually sniff the traffic between a client and the targeted
server.  Of course if your target does not have any ports open...

As far as figuring out what the boxes are, there are a lot of ways to skin
that cat, might I suggest traffic analysis, if you have the Ethernet access
(meaning you can sniff).  Watch the traffic with TCPdump and if you see a
lot of UDP traffic going to a device and it's all encrypted you got a VPN
box, etc.
 

-----Original Message-----
From: Ralph Los
To: pen-test () securityfocus com
Sent: 2/25/2002 11:47 AM
Subject: Auditing boxes with predictable IP Sqeuence(s)
Sensitivity: Confidential

Hello,

        On a network I've recently had the pleasure :) to audit I came
up
with a bunch of hosts which nMap classifies as 'unknown', but with
predictable TCP Sqeuence(s).  Now...are there any tools out there for
either
Linux/Win2k that will allow me to exploit this type of 'vulnerability'?
These hosts don't return any other open port information, so I'm
guessing
they're either switches, or routers or VPN concentrators...is there any
way
to determine which of those it most likely is?  Are there any patterns
to
look for, when determining router/switch/vpn box??

Thanks in advance.....something I don't know and I figured I'd ask...


Cheers!



----------------------------------------|
Ralph M. Los
Sr. Security Consultant and Trainer
          EnterEdge Technology, L.L.C.
          rlos () enteredge com
          (770) 955-9899 x.206
----------------------------------------| 


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Auditing boxes with predictable IP Sqeuence(s) Ralph Los (Feb 25)
- <Possible follow-ups>
- RE: Auditing boxes with predictable IP Sqeuence(s) Aleksander P. Czarnowski (Feb 26)
- RE: Auditing boxes with predictable IP Sqeuence(s) Reidy, Patrick (Feb 26)
- Re: Auditing boxes with predictable IP Sqeuence(s) The Blueberry (Feb 27)
- RE: Auditing boxes with predictable IP Sqeuence(s) Toni Heinonen (Feb 28)