Re: Borderware predictable initial TCP

From: Roy Hills (Roy.Hills@NTA-MONITOR.COM)
Date: Wed Sep 09 1998 - 03:21:13 PDT

Next message: Dr. Mudge: "L0pht Answering Machine Advisory"

Previous message: Ulf Munkedal: "Win NT40 seq pred. Was: Borderware predictable initial TCP"
Maybe in reply to: racer-xat_private: "Borderware predictable initial TCP"
Next in thread: Patrick: "Re: Borderware predictable initial TCP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 20:31 08/09/98 -0600, Ivan Arce,CORE SDI wrote:
>Hmmm
>NT+SP3, Pentium 233Mhz
>How exploitable does this look:
>
> [List of consistent, predictable TCP sequence numbers deleted]
>

Looks like I was too quick to dismiss a one-per-millisecond sequence
as "not predictable in the real world"!  Thanks for correcting me.

I've also got a feeling that it may be possible to send multiple ACKs to the
server and the incorrect ones might just get ignored - if this is true,
then it
would be possible to "bracket" the predicted sequence no. with multiple
ACKs to increase the chance of success.  Does anyone know if this is
really the case?

Roy Hills
NTA Monitor Ltd
--
Roy Hills                                    Tel:   01634 721855
NTA Monitor Ltd                              FAX:   01634 721844
6 Beaufort Court, Medway City Estate,        Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FB, UK                  WWW:   http://www.nta-monitor.com/

Next message: Dr. Mudge: "L0pht Answering Machine Advisory"
Previous message: Ulf Munkedal: "Win NT40 seq pred. Was: Borderware predictable initial TCP"
Maybe in reply to: racer-xat_private: "Borderware predictable initial TCP"
Next in thread: Patrick: "Re: Borderware predictable initial TCP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:29 PDT