[774] in bugtraq
Re: Blind IP Spoofing Attacks.
daemon@ATHENA.MIT.EDU (Timothy Newsham)
Wed Jan 25 17:52:47 1995
From: newsham@aloha.net (Timothy Newsham)
To: jmason@iona.ie (Justin Mason)
Date: Wed, 25 Jan 1995 10:04:18 -1000 (HST)
Cc: bugtraq@fc.net, newsham@aloha.net
In-Reply-To: <199501251234.MAA05640@destructor.iona.ie> from "Justin Mason" at Jan 25, 95 12:34:13 pm
>
> >They mention that NFS and Sun RPC in general are
> >vulnerable to the sequence number attack. It is true that
> >nfs and other rpc's do rely on IP address for authentication
> >but I dont see how they are vulnerable to an attack. You
> >need to see the reply in order to get a filehandle in order
> >to do anything with nfs.
>
> If you can guess the filehandle, you don't need the reply
> packet.
why would anyone do this with TCP sequence number guessing where
the fake connections can only be made for a small fraction of
total attempts when they can spoof udp 100% of the time?
> Also, using rsh to do 'echo "+ +" > /.rhosts' would be a hell of
> a lot easier... ;)
This is the only viable attack with sequence numbers I can think
of, and it relies on a hosts.equiv or .rhosts already being
in place.
> --j.
