Penetration Testing mailing list archives
Re: [PEN-TEST] Exploiting sequence number predictability
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Tue, 22 Aug 2000 13:56:22 -0400
On Mon, 21 Aug 2000, l0rtamus prime wrote:
I am interested in learning more about this subject. I know nothing about it and feel that I need to. Does anyone have any documents that will explain this to me from ground 0?
see below.
At 02:37 PM 8/18/2000 +0200, you wrote:
I was wondering if anyone knew of any tools for exploiting predictable initial sequence numbers? I understand the concept, and always see tools like nmap reporting on the quality of the ISN. But I am wondering how serious the vulnerability really is. How easy is it to actually exploit the weak ISN's?
it's not easy, but it can be done. either hack a prebuilt package or build one yourself. sniping connections, hijacking, blind spoofing, all of thse come to mind in terms of sequence number, and ISN, predictability. see also the famous mitnick attack, discussed almost everywhere you can read.
Are there any tools around that exploit this, or are they mostly limited to custom tools written for a specific situation? What level of skill is required to exploit a TCPWrappered telnet daemon, for example, assuming I know the username and password, and the exact banner and prompts?
TCPwrappers is NOT strong security. providing other weaknesses within the network (compromised hosts, poor filtering on the routers, etc...) you can do a lot to get right past it. as for ISN and predictabilities, TCPwrappers doesn't do anything to assist that. that is all kernel controlled, and tcpd is well into userland.
(snip)
check out a few of route's writings on the subject: http://www.phrack.com/search.phtml?view&article=p49-7 http://www.phrack.com/search.phtml?view&article=p48-14 then go from there. seriously, read your stevens, think evil thoughts, play around at home with crappy stacks. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Re: [PEN-TEST] Exploiting sequence number predictability Riley Hassell (Aug 21)
- Re: [PEN-TEST] Exploiting sequence number predictability Erik Tayler (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Bill Casti, CQA (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Erik Tayler (Aug 23)
- Re: [PEN-TEST] Exploiting sequence number predictability Bill Casti, CQA (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Marshall Beddoe (Aug 22)
- <Possible follow-ups>
- Re: [PEN-TEST] Exploiting sequence number predictability l0rtamus prime (Aug 21)
- [PEN-TEST] Online Security Vulnerability Services Teicher, Mark (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Ben Lull (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Hiromi Yanaoka (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Riley Hassell (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Jose Nazario (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Todd, George (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Iván Arce (Aug 23)
- Re: [PEN-TEST] Exploiting sequence number predictability Jean-Simon Durand (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Pedro Quintanilha (Aug 23)
- Re: [PEN-TEST] Exploiting sequence number predictability Haroon Meer (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Erik Tayler (Aug 22)