Win NT40 seq pred. Was: Borderware predictable initial TCP

[munkedal () N-M COM (Ulf Munkedal)]

Our tests have shown that it's quite easy to predict TCP seq number on Win
NT 40 SP3 - also over the Internet. Some examples (using Internet Scanner)
from a penetration test we did not long ago:

Web Server on Win NT 40:
 TrivialGuess: 7 out of 19 (36.84%)
 TrivialGuess: 21 out of 22 (95.45%)
 TrivialGuess: 5 out of 13 (38.46%)

Firewall-1 on Win NT 40:
 TrivialGuess: 23 out of 24 (95.83%)
 TrivialGuess: 6 out of 16 (37.50%)

Given this, it's not difficult to do a spoofing attack on Win NT 40 SP3
over the Internet.

I think the reason we don't hear about more spoofing attacks on Win NT is
because it doesn't normally carry rlogin, rsh, telnet like services where
TCP spoofing attacks make sense. But similar remote shell like services
might very well be added by Microsoft some day not to far from now.

See also Roys mail below.

Ulf Munkedal

---
Ulf Munkedal
Partner
Neupart & Munkedal
http://www.n-m.com
Tel +45 7020 6565
Fax +45 7020 6065
Public PGP Key: http://www.n-m.com/pgp/
---
SecureTest
- Vished for Internet-sikkerhed


----------
From:   Roy Hills[SMTP:Roy.Hills () NTA-MONITOR COM]
Reply To:       Roy Hills
Sent:   3. september 1998 10:49
To:     BUGTRAQ () netspace org
Subject:        Re: Borderware predictable initial TCP

While NT 4 SP3 does have a pattern to it's initial TCP sequence
numbers, my observations show this to be a "one-per-millisecond"
seqence which is much less of a problem than the "64k increments"
pattern exhibited by Borderware and HP-UX 10.x default configurations.

With the "64k increments" pattern, the server's initial TCP sequence
number is increased by 64,000 for each incoming connection and by
128,000 each second.  These granularities of inbound connections and
seconds are sufficiently course to make sequence number prediction
trivial.

By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3
increases the initial TCP sequence number by one every millisecond.
I think that this would be very difficult to exploit remotely because the
latency variations over an Internet connection are generally much greater
than a millisecond.  I guess that it may be possible to exploit over a LAN
connection, but even then, I doubt that it would be easy.

Has anyone actually seen or demonstrated a successful spoofing
attack against NT 4 SP3 over an Internet connection?

Roy Hills
NTA Monitor

At 22:14 02/09/98 +0200, Ulf Munkedal wrote:
> This also applies to Firewall-1 on a Windows NT SP3. Vendor has been
> notified some time ago.
>
> Like with HP-UX this is an NT problem, but one could argue that firewall
> vendors should replace/strengthen the TCP/IP stack on that platform since
> MS hasn't solved TCP seq prediction on NT and it has been known for quite
> some time. SP3 helps but it doesn't solve the problem.
>
> Ulf