Roy Hills wrote: > > As many people will be aware, the Microsoft TCP/IP stack for NT 4.0 up to and > including SP3 used a simple "one-per-millisecond" increment for the initial TCP > sequence number. This was changed in SP4 to make the initial sequence number > generation less predictable. However I've found that, while the initial > TCP sequence > number pattern has changed from SP3 to SP4, it's still quite predictable. > > The key features of the new SP4 pattern are: > > a) It uses small positive increments between 0 and 14 inclusive; > b) The increment appears to always be an even number: 0, 2, 4, 6, 8, 12, 10 > or 14; > c) The increment does not appear to be time-related - the pattern is the > same whether > the time difference between samples is 20ms or 1s. > actually the SP4 pattern is a weak function of KeQueryTickCount, the number of segments received by the TCP/IP stack (insegs) and the last ISN (LastISN), it looks like this: NewISN = LastISN + (KeQueryTickCount() & 0x8) + (insegs & 0x7) the maximal increment is just 15 and it's quite predictable greetings to IDA (http://www.datarescue.com) Luigi Mori Symbolic -- http://www.symbolic.it
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:24 PDT