---
title: "TCP seqno prediction"
author: "Andrew Fuller"
date: 2012-12-06
header-includes: |
---
### TCP
. . .
`>` SYN
. . .
`<` SYN/ACK
. . .
`>` ACK
. . .
```
> GET /index.html\r\n
Host: lemonparty.com\r\n
Connection: close\r\n
```
::: {role=note}
Some notes. They are only visible using onstage shell.
:::
### TCP
. . .
`>` SYN (0)
. . .
`<` SYN(0)/ACK(1)
. . .
`>` ACK(1)
### TCP
. . .
`>` SYN(0)
. . .
[`<` SYN(0)/ACK(1)]{.greyed-out}
. . .
`>` ACK(1)
### TCP
. . .
`>` SYN(39275)
. . .
[`<` SYN(11902)/ACK(39276)]{.greyed-out}
. . .
`>` ACK(?)
### Sequence numbers
```
S0 = 244782
S1 = 245581
S2 = 246380
S3 = 247176
S4 = 247975
S5 = 248771
...
```
### Sequence numbers
Map relationships to cartesian coordinates:
$$
\begin{eqnarray*}
x_t &=& D_t &=& S_t - S_{t-1} \\
y_t &=& D_{t-1} &=& S_{t-1} - S_{t-2} \\
z_t &=& D_{t-2} &=& S_{t-2} - S_{t-3}
\end{eqnarray*}
$$
---
![placeholder](photos/fig10-3_0.jpg){.hidden-text}
---
![Windows 98](photos/fig10-6_0.jpg){.white-text}
---
![FreeBSD 4.2](photos/fig10-7_0.jpg){.white-text}
---
![NT 4.0 SP3](photos/fig10-10_0.jpg){.white-text}
---
![IRIX 6.5](photos/fig10-11_0.jpg){.white-text}
---
![OpenVMS 7.2](photos/fig10-14_0.jpg){.white-text}
---
![NetWare 6](photos/fig10-12_0.jpg){.white-text}
---
![Linux 2.2](photos/linux.jpg){.white-text}
### Attacks
rlogin
IP-based auth
Mitnick's Christmas Day attack
### Attacks
![placeholder](photos/seqno_attack.png){.hidden-text .maxheight}
### Attacks
ISNProber
Determine if a set of IPs are served by the same host
### Attacks
Active fingerprinting
- QueSO ("Que Sistema Operativo?")
- Xprobe 2
- Nmap
### Attacks
Passive fingerprinting
- Nmap
- Ettercap
- Sscan2kpre625
### Q&A
Any questions?