Bugtraq mailing list archives

Re: Borderware predictable initial TCP

From: Roy.Hills () NTA-MONITOR COM (Roy Hills)
Date: Wed, 9 Sep 1998 11:21:13 +0100


At 20:31 08/09/98 -0600, Ivan Arce,CORE SDI wrote:

Hmmm
NT+SP3, Pentium 233Mhz
How exploitable does this look:

[List of consistent, predictable TCP sequence numbers deleted]


Looks like I was too quick to dismiss a one-per-millisecond sequence
as "not predictable in the real world"!  Thanks for correcting me.

I've also got a feeling that it may be possible to send multiple ACKs to the
server and the incorrect ones might just get ignored - if this is true,
then it
would be possible to "bracket" the predicted sequence no. with multiple
ACKs to increase the chance of success.  Does anyone know if this is
really the case?

Roy Hills
NTA Monitor Ltd
--
Roy Hills                                    Tel:   01634 721855
NTA Monitor Ltd                              FAX:   01634 721844
6 Beaufort Court, Medway City Estate,        Email: Roy.Hills () nta-monitor com
Rochester, Kent ME2 4FB, UK                  WWW:   http://www.nta-monitor.com/

Current thread:

Re: Borderware predictable initial TCP Ulf Munkedal (Sep 02)
- Re: Borderware predictable initial TCP Roy Hills (Sep 03)
  - Re: Borderware predictable initial TCP Ivan Arce,CORE SDI (Sep 08)
    - Re: Borderware predictable initial TCP Roy Hills (Sep 09)
    - Re: Borderware predictable initial TCP Patrick (Sep 09)
  - Win NT40 seq pred. Was: Borderware predictable initial TCP Ulf Munkedal (Sep 09)
  - L0pht Answering Machine Advisory Dr. Mudge (Sep 09)