zlacker

back in the '90s I was into connecting to IRC servers using spoofed IP addresses. The way it worked is you told the software what OS you were connecting to (or it would figure it out itself, I can't recall). Each OS had a unique way of generating TCP sequence numbers, which allowed the software to guess which number would come next.

Nowadays OSes have protection for this sort of thing. But I'd imagine you could still fingerprint an OS like that. Combine that with TLS, HTTP, etc. specifics and you could narrow it down quite a bit I bet.

>>deckar+(OP)
How are you going from guessing TCP sequences to spoofing IP addresses on TCP connections? Did you breeze over a step or am I missing something obvious?

>>wrboyc+r
TCP packets contain sequence numbers that must correspond to the ones sent by the other side. This is an issue if you're spoofing packets because you don't receive packets (containing the sequence numbers) from the other side (they will go to the spoofed address, rather than yours). Without the other side's sequence numbers, your replies will be considered invalid, which means you can't complete the handshake[1] to establish a connection. However, if you can successfully guess the sequence numbers, you can complete the handshake and also write arbitrary data to the stream. You still won't be able to receive data, but for simple protocols like irc, it can still be useful eg. connecting to a server and then sending spam to an user/channel.

[1] https://en.wikipedia.org/wiki/Transmission_Control_Protocol#...

>>wrboyc+r
The mitigations for spoofing sequence numbers might be different for each OS, and that would allow the OS to be fingerprinted. See nmap's OS fingerprinting, for example.

>>deckar+(OP)
Yep, `nmap -O` works pretty well!