• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

NT Predictable TCP Sequence Number Vulnerability

Windows NT 4 uses predictable TCP sequence number generating algorithms that could allow an attacker to set up connections to other machines with a spoofed source address of the NT host.

Windows NT4.0 until and including SP3 used a predictable means of generating initial TCP sequence numbers, incerementing it by one every millisecond. Alerted to this problem, they changed the method in SP4. However, the new method is in fact easier to predict than the previous one: Now there only 8 possible increments, (0, 2, 4, 6, 8, 10, 12, and 14) and the fact that most TCP/IP stacks will ignore invalid sequence numbers makes this easy to exploit - obtain a valid sequence number, and send 8 packets to the target, each with one of the possible next sequence numbers.