IP spoofed telnet session?

I have this proxy firewall that's poorly set up, the TCP session sequence number always starts at 0, I know the trusted IP range, and there's no ingress control. What's the easiest way to blindly spoof a telnet session and set up a backdoor? I've got 2 days to demonstrate an attack and it would take me much longer to write a program from scratch.

Changing the DHCP could confuse an intruder a bit but it would require changing the DHCP config file on the router and I'm sure you can't do that with the normal tools on most routers. Also you'd need to change the router's subnet and IP so that the intruder can't find it just from remembering the old IP. And you need to remember not accidentally using the DHCP yourself. All in all, too much effort for too little gain in security.

>>2 has nothing to do with >>1  whats going on here

>>1
Set up the backdoor with telnet as if you were a trusted client, and record the packets that are sent.  Then blindy replay those packets as if you were an attacker(spoofing the IP).

>>4
I could do that, but someone without access to one of the trusted hosts wouldn't be able to do that. Still that's better than nothing. And I suppose in the real world internal attacks are more viable than external ones.

What are some other types of attacks I could try and demonstrate on a firewall? It's a proxy for a Telnet, HTTP, FTP, and SMTP server.

>>5
Performing a blind SMTP session is quite straightforward - you could try spoofing spam mails out from the proxy.

>>5
If you know sequencing starts at 0 the attacker could just set up a dummy router and telnet server to do the same, then record dropping the backdoor into that, then replay a spoofed version to the victim.

Ghastly Miscarriage of Justice
Save CHRISTOPHER DONE

>>7
Or use an unmodified server and subtract.

How ghastly!

uhh, a tcp syn will always have a sequence number of 0. Syn means
"synchronize sequence numbers"... Are you saying that the sequence number after the final ack in the handshake is set to zero? If so, that proxy is not adhering to the RFC and deserves to be raped. The final ack should have a seq number of 1.

SYN - SN = 0
SYN/ACK - SN = 0
ACK - SN = 1

NOTHING ELSE!

>>11
Read the ^goddamn RFC.

>>12
YHBT

>>11
Shouldn't it be as randomly selected as possible so that man-in-the-middle and replay attacks can't happen?

>>14
see >>13

>>14
That wouldn't stop a man-in-the-middle attack.

>>16
That wouldn't stop a 8queenたへんうだー attack.