[rescue] RFA: firewall

Wes Will wwill at siu.edu
Fri Jan 7 08:18:20 CST 2005

>some random numbers (somehow that I don't understand) in 
>TCP sequences,

This is one you can understand in a trice, it's actually very simple in
concept.  The following explanation is first, admittedly "wrong" at many
levels, but should suffice to make a dent in understanding sequences:

TCP packets get assigned a pseudo-random ID number as they are assembled.
Information about the destination and routing, various housekeeping items
are put in there, and then the data that is meant for the end user (the
contents of the web page you want, for instance) gets tucked in there, too.
 It's how things work, you need to know what to do with the packets that
arrive, and you need to know that they really are from the right place and
meant for you to handle.

If you are a computer cracker, you want to be able to insert yourself into
an ongoing conversation and usurp the connection (if you were trying to
hack/spoof your way into a communication between two machines for nefarious
purposes).  You can make one of the machines think it is talking to an
authenticated host, and then you tell it things that are wrong, and ask it
questions it shouldn't answer... 

To do this you would need to be able to generate the "next" packet in the
sequence -before- the legitimate machine does, and send it on as if you
were the 'real' authenticated sender.  To do that, you would need to be
able to guess what that assigned pseudo-random number is going to be, and
have it ready to go with your cracker payload tacked on, in real time.
Simple enough.  

So you sit there between the two machines, listening to their packets go
by, and looking at the numbers on each.  After a while, if there is not
enough entropy (true randomness) in the sequence, an algorithm will become
apparent to you, and you will be able to compute the next one, before it
happens.  Do so, watch to see if you are correct, and then do it again,
attach your nasty payload, and send it out before the other guy does.
You're in.  The target machine thinks it's talking to the other box.  You
can tell this other machine all sorts of things after that.  A simplistic

Packet numbers go by in the following order:
1  3  5  7  9  11  13  so the next one out will undoubtedly be  15, and
you've guessed it.  Send out your hack code, the box is yours.  It thinks
it is talking to the other guy and will accept your traffic.  That's all
there really is to it.

The BSD version of this pseudo-random number generation thing is really a
lot more truly random than other implementations.  Computing what the next
packet number will be -in real time-, starting from the packet numbers you
see going by between the two computers that are supposed to be doing the
talking, is pretty near impossible.

wes will
(I have to teach this stuff all the time...does it show?)

More information about the rescue mailing list