Roy Hills wrote:
>
> As many people will be aware, the Microsoft TCP/IP stack for NT 4.0 up to and
> including SP3 used a simple "one-per-millisecond" increment for the initial TCP
> sequence number. This was changed in SP4 to make the initial sequence number
> generation less predictable. However I've found that, while the initial
> TCP sequence
> number pattern has changed from SP3 to SP4, it's still quite predictable.
>
> The key features of the new SP4 pattern are:
>
> a) It uses small positive increments between 0 and 14 inclusive;
> b) The increment appears to always be an even number: 0, 2, 4, 6, 8, 12, 10
> or 14;
> c) The increment does not appear to be time-related - the pattern is the
> same whether
> the time difference between samples is 20ms or 1s.
>
actually the SP4 pattern is a weak function of KeQueryTickCount, the
number of segments received by the TCP/IP stack (insegs) and the last
ISN (LastISN), it looks like this:
NewISN = LastISN + (KeQueryTickCount() & 0x8) + (insegs & 0x7)
the maximal increment is just 15 and it's quite predictable
greetings to IDA (http://www.datarescue.com)
Luigi Mori
Symbolic -- http://www.symbolic.it
