Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NT Predictable Initial TCP Sequence numbers - changes observedwith SP4

From: lm () SYMBOLIC IT (Luigi Mori)
Date: Fri, 27 Aug 1999 22:06:26 -0700

Roy Hills wrote:


As many people will be aware, the Microsoft TCP/IP stack for NT 4.0 up to and
including SP3 used a simple "one-per-millisecond" increment for the initial TCP
sequence number.  This was changed in SP4 to make the initial sequence number
generation less predictable.  However I've found that, while the initial
TCP sequence
number pattern has changed from SP3 to SP4, it's still quite predictable.

The key features of the new SP4 pattern are:

a) It uses small positive increments between 0 and 14 inclusive;
b) The increment appears to always be an even number: 0, 2, 4, 6, 8, 12, 10
or 14;
c) The increment does not appear to be time-related - the pattern is the
same whether
    the time difference between samples is 20ms or 1s.



actually the SP4 pattern is a weak function of KeQueryTickCount, the
number of segments received by the TCP/IP stack (insegs) and the last
ISN (LastISN), it looks like this:
        NewISN = LastISN + (KeQueryTickCount() & 0x8) + (insegs & 0x7)

the maximal increment is just 15 and it's quite predictable

greetings to IDA (http://www.datarescue.com)

Luigi Mori
Symbolic -- http://www.symbolic.it
Previous By Date Next
Previous By Thread Next

Current thread: