Penetration Testing mailing list archives
Re: [PEN-TEST] Exploiting sequence number predictability
From: "Bill Casti, CQA" <quire () CASTI COM>
Date: Tue, 22 Aug 2000 19:28:10 -0400
You can download it at http://packetstorm.securify.com/Exploit_Code_Archive/indexsize.shtml or http://www.xenos.net/pub/security/tools/all Sorry. I didn't realize till too late that the other site's link was dead. Bill On Mon, 21 Aug 2000, Erik Tayler wrote:
I would like to make a suggestion or two (mendax is good imho): Mendax for Linux: Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing. Sorry, for I cannot find a URL. Erik Tayler 14x Network Security http://www.14x.net ----- Original Message ----- From: "Riley Hassell" <riley () WEB0 SPEAKEASY NET> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Friday, August 18, 2000 10:50 PM Subject: Re: Exploiting sequence number predictabilityCheck out ADMrsh. ;) Riley Hassell Network Security Speakeasy Networks Phone : 206-728-9770x151 Email : riley () speakeasy net On Fri, 18 Aug 2000, Dawes, Rogan wrote:Hi folks, I was wondering if anyone knew of any tools for exploiting predictable initial sequence numbers? I understand the concept, and always seetoolslike nmap reporting on the quality of the ISN. But I am wondering how serious the vulnerability really is. How easy is it to actually exploittheweak ISN's? I've also used tools like hunt, for session hijacking, but thatpresupposesknowlege of the sequence numbers on the network, and doesn't reallyexploitthe predictability aspect. Are there any tools around that exploit this, or are they mostly limitedtocustom tools written for a specific situation? What level of skill is required to exploit a TCPWrappered telnet daemon, for example, assumingIknow the username and password, and the exact banner and prompts? I imagine it is a case of: 1. determine the predictability algorithm (64k rule, or whatever) 2. Craft the packets required to execute the commands desired with theIPaddress of a permitted workstation. (packet 1 : SYN packet 2 : ACK xxxxx/username^M packet 3 : ACK xxxxy/password^M packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >> /etc/hosts.allow; exit^M, or whatever) where xxxxx-xxxxz are determined by the ISN, the number of bytes in the banner and login prompt, password prompt, and welcome banner/motd) (I can see why the R services are an easier target, cos you avoid allthevariables in the login sequence, and can include your credentials andissueyour command in the (same) second packet sent, I think) 3. Check where the target machine is in its sequence numbers by making a legit connection to, say echo, or whatever. 4. spam out a flood of packets that cover the range of ISN's based onthetime between the target machine answering the legit connection, and your crafted packet arriving at the target. Is this how it works? Thanks. Sincerely, Rogan -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe () alum mit edu> -- Rogan Dawes Deloitte & Touche Enterprise Risk Services Network & System Quality Tel: +27 11 806 6216 Fax: +27 11 806 5202 Cell: +27 82 784 9498 Email: rdawes () deloitte co za -- NOTE: This e-mail message and its attachments is subject to the disclaimers as published at: http://www.deloitte.co.za/disc.htm#emaildisc
Current thread:
- Re: [PEN-TEST] Exploiting sequence number predictability Riley Hassell (Aug 21)
- Re: [PEN-TEST] Exploiting sequence number predictability Erik Tayler (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Bill Casti, CQA (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Erik Tayler (Aug 23)
- Re: [PEN-TEST] Exploiting sequence number predictability Bill Casti, CQA (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Marshall Beddoe (Aug 22)
- <Possible follow-ups>
- Re: [PEN-TEST] Exploiting sequence number predictability l0rtamus prime (Aug 21)
- [PEN-TEST] Online Security Vulnerability Services Teicher, Mark (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Ben Lull (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Hiromi Yanaoka (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Riley Hassell (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Jose Nazario (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Todd, George (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Iván Arce (Aug 23)
(Thread continues...)
- Re: [PEN-TEST] Exploiting sequence number predictability Erik Tayler (Aug 22)