Re: [PEN-TEST] Exploiting sequence number predictability

[Haroon Meer <meer2 () NU AC ZA>]

Hi..

Try...
http://packetstorm.securify.com/docs/infosec/sequence_attacks.txt 
and
http://www.s0d.org/books/www.bitpunk.com/ipext.pdf 

Both give comprehensive detail on TCP Sequence attacks, and how / y they wrk.

Haroon Meer
+27 83 786 6637
Meer2 () nu ac za
 
It took the computing power of three C-64s to fly us to the Moon.
It takes a Pentium to run Windows 95. Something's not right here...



> > > simon () SNOSOFT COM 08/21/00 04:20AM >>>
I am interested in learning more about this subject.  I know nothing about
it and feel that I need to.   Does anyone have any documents that will
explain this to me from ground 0?


At 02:37 PM 8/18/2000 +0200, you wrote:
> Hi folks,
>
> I was wondering if anyone knew of any tools for exploiting predictable
> initial sequence numbers?  I understand the concept, and always see tools
> like nmap reporting on the quality of the ISN. But I am wondering how
> serious the vulnerability really is.  How easy is it to actually exploit the
> weak ISN's?
>
> I've also used tools like hunt, for session hijacking, but that presupposes
> knowlege of the sequence numbers on the network, and doesn't really exploit
> the predictability aspect.
>
> Are there any tools around that exploit this, or are they mostly limited to
> custom tools written for a specific situation?  What level of skill is
> required to exploit a TCPWrappered telnet daemon, for example, assuming I
> know the username and password, and the exact banner and prompts?
>
> I imagine it is a case of:
> 1. determine the predictability algorithm (64k rule, or whatever)
> 2. Craft the packets required to execute the commands desired with the IP
> address of a permitted workstation.
> (packet 1 : SYN
>  packet 2 : ACK xxxxx/username^M
>  packet 3 : ACK xxxxy/password^M
>  packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >>
> /etc/hosts.allow; exit^M, or whatever)
>  where xxxxx-xxxxz are determined by the ISN, the number of bytes in the
> banner and login prompt, password prompt, and welcome banner/motd)
>
> (I can see why the R services are an easier target, cos you avoid all the
> variables in the login sequence, and can include your credentials and issue
> your command in the (same) second packet sent, I think)
>
> 3. Check where the target machine is in its sequence numbers by making a
> legit connection to, say echo, or whatever.
> 4. spam out a flood of packets that cover the range of ISN's based on the
> time between the target machine answering the legit connection, and your
> crafted packet arriving at the target.
>
> Is this how it works?
>
> Thanks.
>
> Sincerely,
>
> Rogan
> --
> In God we Trust -- all others must submit an X.509 certificate.
>      -- Charles Forsythe <forsythe () alum mit edu>
> --
> Rogan Dawes
> Deloitte & Touche
> Enterprise Risk Services
> Network & System Quality
>
> Tel:   +27 11 806 6216
> Fax:   +27 11 806 5202
> Cell:  +27 82 784 9498
> Email: rdawes () deloitte co za 
> --
> NOTE:  This e-mail message and its attachments is subject to the
>        disclaimers as published at:
>        http://www.deloitte.co.za/disc.htm#emaildisc