I have this proxy firewall that's poorly set up, the TCP session sequence number always starts at 0, I know the trusted IP range, and there's no ingress control. What's the easiest way to blindly spoof a telnet session and set up a backdoor? I've got 2 days to demonstrate an attack and it would take me much longer to write a program from scratch.
Name:
Anonymous2009-04-06 19:04
uhh, a tcp syn will always have a sequence number of 0. Syn means
"synchronize sequence numbers"... Are you saying that the sequence number after the final ack in the handshake is set to zero? If so, that proxy is not adhering to the RFC and deserves to be raped. The final ack should have a seq number of 1.