[11577] in bugtraq
Re: NT Predictable Initial TCP Sequence numbers - changes
daemon@ATHENA.MIT.EDU (Luigi Mori)
Sun Aug 29 02:52:09 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37C76E52.25836ABD@symbolic.it>
Date: Fri, 27 Aug 1999 22:06:26 -0700
Reply-To: Luigi Mori <lm@SYMBOLIC.IT>
From: Luigi Mori <lm@SYMBOLIC.IT>
X-To: Bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Roy Hills wrote:
>
> As many people will be aware, the Microsoft TCP/IP stack for NT 4.0 up to and
> including SP3 used a simple "one-per-millisecond" increment for the initial TCP
> sequence number. This was changed in SP4 to make the initial sequence number
> generation less predictable. However I've found that, while the initial
> TCP sequence
> number pattern has changed from SP3 to SP4, it's still quite predictable.
>
> The key features of the new SP4 pattern are:
>
> a) It uses small positive increments between 0 and 14 inclusive;
> b) The increment appears to always be an even number: 0, 2, 4, 6, 8, 12, 10
> or 14;
> c) The increment does not appear to be time-related - the pattern is the
> same whether
> the time difference between samples is 20ms or 1s.
>
actually the SP4 pattern is a weak function of KeQueryTickCount, the
number of segments received by the TCP/IP stack (insegs) and the last
ISN (LastISN), it looks like this:
NewISN = LastISN + (KeQueryTickCount() & 0x8) + (insegs & 0x7)
the maximal increment is just 15 and it's quite predictable
greetings to IDA (http://www.datarescue.com)
Luigi Mori
Symbolic -- http://www.symbolic.it
