Our tests have shown that it's quite easy to predict TCP seq number on Win NT 40 SP3 - also over the Internet. Some examples (using Internet Scanner) from a penetration test we did not long ago: Web Server on Win NT 40: TrivialGuess: 7 out of 19 (36.84%) TrivialGuess: 21 out of 22 (95.45%) TrivialGuess: 5 out of 13 (38.46%) Firewall-1 on Win NT 40: TrivialGuess: 23 out of 24 (95.83%) TrivialGuess: 6 out of 16 (37.50%) Given this, it's not difficult to do a spoofing attack on Win NT 40 SP3 over the Internet. I think the reason we don't hear about more spoofing attacks on Win NT is because it doesn't normally carry rlogin, rsh, telnet like services where TCP spoofing attacks make sense. But similar remote shell like services might very well be added by Microsoft some day not to far from now. See also Roys mail below. Ulf Munkedal --- Ulf Munkedal Partner Neupart & Munkedal http://www.n-m.com Tel +45 7020 6565 Fax +45 7020 6065 Public PGP Key: http://www.n-m.com/pgp/ --- SecureTest - Vished for Internet-sikkerhed ---------- From: Roy Hills[SMTP:Roy.Hills@NTA-MONITOR.COM] Reply To: Roy Hills Sent: 3. september 1998 10:49 To: BUGTRAQat_private Subject: Re: Borderware predictable initial TCP While NT 4 SP3 does have a pattern to it's initial TCP sequence numbers, my observations show this to be a "one-per-millisecond" seqence which is much less of a problem than the "64k increments" pattern exhibited by Borderware and HP-UX 10.x default configurations. With the "64k increments" pattern, the server's initial TCP sequence number is increased by 64,000 for each incoming connection and by 128,000 each second. These granularities of inbound connections and seconds are sufficiently course to make sequence number prediction trivial. By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3 increases the initial TCP sequence number by one every millisecond. I think that this would be very difficult to exploit remotely because the latency variations over an Internet connection are generally much greater than a millisecond. I guess that it may be possible to exploit over a LAN connection, but even then, I doubt that it would be easy. Has anyone actually seen or demonstrated a successful spoofing attack against NT 4 SP3 over an Internet connection? Roy Hills NTA Monitor At 22:14 02/09/98 +0200, Ulf Munkedal wrote: >This also applies to Firewall-1 on a Windows NT SP3. Vendor has been >notified some time ago. > >Like with HP-UX this is an NT problem, but one could argue that firewall >vendors should replace/strengthen the TCP/IP stack on that platform since >MS hasn't solved TCP seq prediction on NT and it has been known for quite >some time. SP3 helps but it doesn't solve the problem. > >Ulf
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:27 PDT