Re: [PEN-TEST] Exploiting sequence number predictability

[Erik Tayler <nine () 14X NET>]

I would like to make a suggestion or two (mendax is good imho):

Mendax for Linux: Mendax is an easy-to-use tool for TCP sequence number
prediction and rshd spoofing.

Sorry, for I cannot find a URL.

Erik Tayler
14x Network Security
http://www.14x.net

----- Original Message -----
From: "Riley Hassell" <riley () WEB0 SPEAKEASY NET>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, August 18, 2000 10:50 PM
Subject: Re: Exploiting sequence number predictability


> Check out ADMrsh. ;)
>
>
>   Riley Hassell
>   Network Security
>   Speakeasy Networks
>   Phone : 206-728-9770x151
>   Email : riley () speakeasy net
>
>
> On Fri, 18 Aug 2000, Dawes, Rogan wrote:
>
> > Hi folks,
> >
> > I was wondering if anyone knew of any tools for exploiting predictable
> > initial sequence numbers?  I understand the concept, and always see
tools
> > like nmap reporting on the quality of the ISN. But I am wondering how
> > serious the vulnerability really is.  How easy is it to actually exploit
the
> > weak ISN's?
> >
> > I've also used tools like hunt, for session hijacking, but that
presupposes
> > knowlege of the sequence numbers on the network, and doesn't really
exploit
> > the predictability aspect.
> >
> > Are there any tools around that exploit this, or are they mostly limited
to
> > custom tools written for a specific situation?  What level of skill is
> > required to exploit a TCPWrappered telnet daemon, for example, assuming
I
> > know the username and password, and the exact banner and prompts?
> >
> > I imagine it is a case of:
> > 1. determine the predictability algorithm (64k rule, or whatever)
> > 2. Craft the packets required to execute the commands desired with the
IP
> > address of a permitted workstation.
> > (packet 1 : SYN
> >  packet 2 : ACK xxxxx/username^M
> >  packet 3 : ACK xxxxy/password^M
> >  packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >>
> > /etc/hosts.allow; exit^M, or whatever)
> >  where xxxxx-xxxxz are determined by the ISN, the number of bytes in the
> > banner and login prompt, password prompt, and welcome banner/motd)
> >
> > (I can see why the R services are an easier target, cos you avoid all
the
> > variables in the login sequence, and can include your credentials and
issue
> > your command in the (same) second packet sent, I think)
> >
> > 3. Check where the target machine is in its sequence numbers by making a
> > legit connection to, say echo, or whatever.
> > 4. spam out a flood of packets that cover the range of ISN's based on
the
> > time between the target machine answering the legit connection, and your
> > crafted packet arriving at the target.
> >
> > Is this how it works?
> >
> > Thanks.
> >
> > Sincerely,
> >
> > Rogan
> > --
> > In God we Trust -- all others must submit an X.509 certificate.
> >      -- Charles Forsythe <forsythe () alum mit edu>
> > --
> > Rogan Dawes
> > Deloitte & Touche
> > Enterprise Risk Services
> > Network & System Quality
> >
> > Tel:   +27 11 806 6216
> > Fax:   +27 11 806 5202
> > Cell:  +27 82 784 9498
> > Email: rdawes () deloitte co za
> > --
> > NOTE:  This e-mail message and its attachments is subject to the
> >        disclaimers as published at:
> >        http://www.deloitte.co.za/disc.htm#emaildisc