Re: Auditing boxes with predictable IP Sqeuence(s)

["The Blueberry" <acr872k () hotmail com>]

Since nmap recognizes a lot of routers and switches it is probably or an 
exotic router, a vpn or a printer. (I recently came up at a bunch of HP 
printers not recognized by nmap...) But I'm not aware of canned 
scripts/exploits to exploit TCP sequence numbers vulnerability but I don't 
think it would be of much resort for you apart if there are servers denying 
service to external networks...

And it could be of some help if you used SolarWinds's scanner to find SNMP 
daemons running, I already came up across an entire company's B network with 
_all_ ciscos snmp and tftp enabled... :p

Hope my post was helpful!


> From: "Ralph Los" <RLos () enteredge com>
> To: pen-test () securityfocus com
> Subject: Auditing boxes with predictable IP Sqeuence(s)
> Date: Mon, 25 Feb 2002 11:47:36 -0500
> MIME-Version: 1.0
> Received: from [66.38.151.27] by hotmail.com (3.2) with ESMTP id 
> MHotMailBE4429700088400432564226971BAF7B0; Mon, 25 Feb 2002 17:01:37 -0800
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid 
> 413D5A324C; Mon, 25 Feb 2002 14:08:01 -0700 (MST)
> Received: (qmail 6826 invoked from network); 25 Feb 2002 16:46:51 -0000
> From pen-test-return-1705-acr872k Mon, 25 Feb 2002 17:02:42 -0800
> Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <pen-test.list-id.securityfocus.com>
> List-Post: <mailto:pen-test () securityfocus com>
> List-Help: <mailto:pen-test-help () securityfocus com>
> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
> Delivered-To: mailing list pen-test () securityfocus com
> Delivered-To: moderator for pen-test () securityfocus com
> X-Server-Uuid: 09D2A061-A64D-4587-8E3B-1712D61989F3
> Message-ID: <29F92B16A662464F908233F0549907262BE6EB () www test1 com>
> Sensitivity: Company-Confidential
> X-Mailer: Internet Mail Service (5.5.2653.19)
> X-WSS-ID: 1064B56212791-01-01
>
> Hello,
>
>         On a network I've recently had the pleasure :) to audit I came up
> with a bunch of hosts which nMap classifies as 'unknown', but with
> predictable TCP Sqeuence(s).  Now...are there any tools out there for 
> either
> Linux/Win2k that will allow me to exploit this type of 'vulnerability'?
> These hosts don't return any other open port information, so I'm guessing
> they're either switches, or routers or VPN concentrators...is there any way
> to determine which of those it most likely is?  Are there any patterns to
> look for, when determining router/switch/vpn box??
>
> Thanks in advance.....something I don't know and I figured I'd ask...
>
>
> Cheers!
>
>
>
> ----------------------------------------|
> Ralph M. Los
> Sr. Security Consultant and Trainer
>           EnterEdge Technology, L.L.C.
>           rlos () enteredge com
>           (770) 955-9899 x.206
> ----------------------------------------|
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert 
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/




_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/