Hello All,
I have been seeing an odd number of false positive results with the Raptor Weak ISN
generation
issue. Windows XP hosts running the Symantec Client VPN software, with the Symantec
Client VPN Driver bound to their NIC return that they have they generate weak ISNs.
Now, I'm not expert
enough to know if this is true based soley on the Nessus output, so I have attempted
to validate
using NMAP. The results are as such: (using the command nmap -O -vv -g 1025 hostname)
Test 1: (VPN Driver unbound from adaptor, no result from above plugin)
TCP Sequence Prediction: Class=random positive increments
Difficulty=14034 (Worthy challenge)
TCP ISN Seq. Numbers: 490E5E47 490F5374 491042DD 491156C8 4912DCED 4913EACD
IPID Sequence Generation: Incremental
Test 2: (VPN driver bound to adaptor, "hole" found) (2 NMAP runs done)
first:
>>
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: C458059D E7095EA7 B1C6EF5A 40A5E196 800D787B 35A38741
IPID Sequence Generation: Incremental
<<
second:
>>
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: 1DCEF56F 89249731 154D25F0 E76239A 359B366A 41119537
IPID Sequence Generation: Incremental
<<
Note, even though I specified an identical source port, and identical destination
ports were used, the ISNs are not identical. I surmise this to be an error in the
plugin??
Has anyone seen this sort of thing before?
Rgds,
Ds
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
