Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: Borderware predictable initial TCP

Re: Borderware predictable initial TCP

From: Ivan Arce,CORE SDI <ivan_at_SECURENETWORKS.COM>
Date: Tue, 8 Sep 1998 20:31:22 -0600

On Thu, 3 Sep 1998, Roy Hills wrote:

> While NT 4 SP3 does have a pattern to it's initial TCP sequence
> numbers, my observations show this to be a "one-per-millisecond"
> seqence which is much less of a problem than the "64k increments"
> pattern exhibited by Borderware and HP-UX 10.x default configurations.
>
> With the "64k increments" pattern, the server's initial TCP sequence
> number is increased by 64,000 for each incoming connection and by
> 128,000 each second. These granularities of inbound connections and
> seconds are sufficiently course to make sequence number prediction
> trivial.
>
> By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3
> increases the initial TCP sequence number by one every millisecond.
> I think that this would be very difficult to exploit remotely because the
> latency variations over an Internet connection are generally much greater
> than a millisecond. I guess that it may be possible to exploit over a LAN
> connection, but even then, I doubt that it would be easy.
>
> Has anyone actually seen or demonstrated a successful spoofing
> attack against NT 4 SP3 over an Internet connection?
>
> Roy Hills
> NTA Monitor
>

Hmmm
NT+SP3, Pentium 233Mhz
How exploitable does this look:

TCP Initial Sequence Numbers
###: Sequence Number RTT Difference
---: --------------- --------- ------------
  0 547735488 9 ms. 0
  1 547735979 9 ms. 491
  2 547736480 9 ms. 501
  3 547736980 9 ms. 500
  4 547737481 9 ms. 501
  5 547737982 9 ms. 501
  6 547738483 9 ms. 501
  7 547738983 9 ms. 500
  8 547739484 9 ms. 501
  9 547739975 9 ms. 491
 10 547740475 9 ms. 500
 11 547740976 9 ms. 501
 12 547741477 9 ms. 501
 13 547741978 9 ms. 501
 14 547742478 9 ms. 500
 15 547742979 9 ms. 501
 16 547743480 9 ms. 501
 17 547743980 9 ms. 500
 18 547744481 9 ms. 501
 19 547744982 9 ms. 501
 20 547745483 9 ms. 501
 21 547745983 9 ms. 500
 22 547746474 9 ms. 491
 23 547746975 9 ms. 501
 24 547747475 9 ms. 500
 25 547747976 9 ms. 501
 26 547748477 9 ms. 501
 27 547748978 9 ms. 501
 28 547749478 9 ms. 500
 29 547749979 9 ms. 501
 30 547750480 9 ms. 501
 31 547750981 9 ms. 501
 32 547751481 9 ms. 500
 33 547751982 9 ms. 501
 34 547752483 9 ms. 501
 35 547752983 9 ms. 500
 36 547753484 9 ms. 501
 37 547753975 9 ms. 491
 38 547754476 9 ms. 501
 39 547754976 9 ms. 500
 40 547755477 9 ms. 501
 41 547755978 9 ms. 501
 42 547756478 9 ms. 500
 43 547756979 9 ms. 501
 44 547757480 9 ms. 501
 45 547757981 9 ms. 501
 46 547758481 9 ms. 500
 47 547758982 9 ms. 501
 48 547759483 9 ms. 501
 49 547759983 9 ms. 500
 50 547760484 9 ms. 501
mean < 499.92> standard deviation (square) < 7.2588>

==============================[ CORE Seguridad de la Informacion S.A. ]=======
Ivan Arce
Gerencia de Tecnologia Email : ivan_at_core-sdi.com
Av. Santa Fe 2861 5to C TE : +54-1-821-1030
CP 1425 FAX : +54-1-821-1030
Buenos Aires, Argentina Mensajeria: +54-1-317-4157
==============================================================================
Received on Sep 09 1998

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos