If you read the book "Takedown" which tells how Kevin Mitnick was trapped,
you will discover that the means by which Minick was able to intercept a
TCP connection between two trusted hosts was by being able to predict the
TCP sequence number of the next connection (I think on that particular
system the increment was 64, something simple.)
Having gained the sequence number he was able to blind the innocent party
by DoSing it and then was able to get the other party to talk to his
machine as if it was the trusted peer. A classic "Man in the middle
attack".
On Wed, 5 Dec 2001, Silcock, Stephen wrote:
> Ummm ok no totally knowledgeable anwers yet (come on guys! :) so I'll throw
> my semi-uninformed opinion in...
>
> Sequence prediction (if feasible) basically allows man in the middle and
> session hijacking attacks. It's a low risk as opposed to say running an old
> (exploitable) version of sendmail or ssh. If an attacker can sniff your
> packets to get the TCP sequence info in the first place then they've already
> compromised a box (or router) real close to you so you have bigger worries
> anyway. What they would then do is blast you out of the sky with a DDoS or
> magic packet and pump their own packets onto the wire with the correct
> (predicted) sequence numbers - session hijack. It would take a fairly
> sophisticated attacker though as far as I know - there are utilities and
> exploits out there ("hunt" is one that springs to mind - telnet is asking
> for trouble) but AFAIK they aren't "point and click" type attack programs.
>
> TCP sequence prediction was poor in earlier 'doze versions (MS put out a
> patch) but every Linux and BSD I've seen nmap'd was (Good luck!) so I'd say
> don't worry about it. You often get (trivial joke) on earlier versions of
> Windows and network devices (HP JetDirect, other network printing boxes, web
> interfaces to routers/connection sharing devices).
>
> So; only a concern in high security environments... or if you (like me)
> think secure is fun!
--
Howard.
LANNet Computing Associates - Your Linux people
Contact detail at http://www.lannetlinux.com
"We are either doing something, or we are not.
'Talking about' is a subset of 'not'."
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
