Penetration Testing: Re: [PEN-TEST] Exploiting sequence number predictability

[Marshall Beddoe <marshall.beddoe () SECURESOFTSYSTEMS COM>]

You can use nemesis but it will take some skill and understanding as to
exploit the
the predictable ISNs.  You can get nemesis at celerity.bartoli.org.


On Fri, 18 Aug 2000, Dawes, Rogan wrote:

> Hi folks,
>
> I was wondering if anyone knew of any tools for exploiting predictable
> initial sequence numbers?  I understand the concept, and always see tools
> like nmap reporting on the quality of the ISN. But I am wondering how
> serious the vulnerability really is.  How easy is it to actually exploit
the
> weak ISN's?
>
> I've also used tools like hunt, for session hijacking, but that
presupposes
> knowlege of the sequence numbers on the network, and doesn't really
exploit
> the predictability aspect.
>
> Are there any tools around that exploit this, or are they mostly limited
to
> custom tools written for a specific situation?  What level of skill is
> required to exploit a TCPWrappered telnet daemon, for example, assuming I
> know the username and password, and the exact banner and prompts?
>
> I imagine it is a case of:
> 1. determine the predictability algorithm (64k rule, or whatever)
> 2. Craft the packets required to execute the commands desired with the IP
> address of a permitted workstation.
> (packet 1 : SYN
>  packet 2 : ACK xxxxx/username^M
>  packet 3 : ACK xxxxy/password^M
>  packet 4 : ACK xxxxz/echo > /etc/hosts.deny; echo attacker >>
> /etc/hosts.allow; exit^M, or whatever)
>  where xxxxx-xxxxz are determined by the ISN, the number of bytes in the
> banner and login prompt, password prompt, and welcome banner/motd)
>
> (I can see why the R services are an easier target, cos you avoid all the
> variables in the login sequence, and can include your credentials and
issue
> your command in the (same) second packet sent, I think)
>
> 3. Check where the target machine is in its sequence numbers by making a
> legit connection to, say echo, or whatever.
> 4. spam out a flood of packets that cover the range of ISN's based on the
> time between the target machine answering the legit connection, and your
> crafted packet arriving at the target.
>
> Is this how it works?
>
> Thanks.
>
> Sincerely,
>
> Rogan
> --
> In God we Trust -- all others must submit an X.509 certificate.
>      -- Charles Forsythe <forsythe () alum mit edu>
> --
> Rogan Dawes
> Deloitte & Touche
> Enterprise Risk Services
> Network & System Quality
>
> Tel:   +27 11 806 6216
> Fax:   +27 11 806 5202
> Cell:  +27 82 784 9498
> Email: rdawes () deloitte co za
> --
> NOTE:  This e-mail message and its attachments is subject to the
>        disclaimers as published at:
>        http://www.deloitte.co.za/disc.htm#emaildisc