Re: TCP/IP ISN Prediction Susceptibility

[Elias Levy <aleph1 () SECURITYFOCUS COM>]

* Holger van Koll (holger () VANKOLL DE) [010314 03:32]:
> Could somebody explain how session hijacking is related to ISN-guessing?
> "session" means it is already established. ISN are done.
>
> If I am able to sniff the session, I dont need ISN-guessing.
> I can insert pakets based on the sniffed SN.
>
> If I can´t (and therefor ISN-guessing would be helpful) it is IMHO of no
> use
> for already established sessions.
>
> Can somebody shed some light on this?

To splice data into a TCP stream you need six pieces of information:
the IP address of the machine A, the IP address of machine B, the
TCP port number of machine A, the TCP port number of machine B,
the TCP acknowledged sequence number of A, and the TCP acknowledged
sequence number of B.

The easiest way to obtain this information is by monitoring the
actual traffic. This is simple if the traffic is flowing through
a broadcast network you are attached to. If this is not the case
then you can coerce the traffic your way via a number of tricks such
as ARP spoofing, ICMP redirects, route poisoning, etc.

A less trivial method is to guess the value of some of the variables.

It may be the case that you known the IP addresses of A and B, as well as
the port numbers they are using (e.g. some DNS requests). If both A and
B ISN's are trivially predictable then guessing the current sequence
numbers for A and B may not be difficult if they have not transmitted
a lot of data. You can always send multiple packets until you get
the numbers right.

You may not even need to known the TCP port number of one of the hosts.
Many computers assign ephemeral port numbers in a predictable fashion
so you can try to guess it as well.

And in reality you only need to known the acknowledged sequence number
of the machine into whose input stream you want to inject data. You
don't need to known the other machine's acknowledged sequence number.

So only *one* of the machines need to have an easily predictable ISN.
And in most attacks this machine is likely to be the *client*
machine (since that is the machine you are more likely to impersonate).
And clients (e.g. Windows) are more likely than the server to
have predictable ISNs as security tends to be an afterthought.

This is different IP spoofing attacks that attempt to initiate a
TCP connection to a server for which you need to guess the server's
ISN so you can complete the three-way handshake. In this case the
*server* having a predictable ISN is the vulnerability.

What this all means it that it may be possible to inject data into
an established TCP connection without actually having to monitor
the traffic between the two hosts. All you would need it to known
the connection exists, known or guess the TCP port numbers, and
guess the acknowledged sequence number of the host you want to
accept the data.

Anyway thats my speculation as to what Guardent may say they have
discovered: a previously non-widely known attack scenario for the
old and venerable predictable ISN vulnerability.

> Regards, Holger

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum