Saturday, May 17, 2014

Understanding the TCP ISN – with a taste of Scapy

In a discussion with a colleague, I recognized that there was some misunderstanding in the role of the Initial Sequence Number (ISN) in the operations of the TCP protocol.  As a result, I thought this blog may be helpful to anyone who probably needs to learn what is the ISN’s role in the TCP communication. 

First, we need to understand, that the Initial Sequence is only related to the TCP protocol. 

Let’s look at the TCP Header.
0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |          Source Port          |       Destination Port        |
   |                        Sequence Number                        |
   |                    Acknowledgment Number                      |
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   |           Checksum            |         Urgent Pointer        |
   |                    Options                    |    Padding    |
   |                             data                              |
                            TCP Header Format

As we can see from above, there is no field that states “Initial Sequence Number”. However, there is a field called “Sequence Number”. The number which is first used when establishing communication is what is known as the Initial Sequence Number. Understanding the TCP 3-way handshake is critical to understanding how this Initial Sequence Number (ISN) is used.

According to RFC793 “If SYN is present, the sequence number is the Initial Sequence Number (ISN)”. Considering the preceding sentence, the initial sequence number should only be considered in a situation where the SYN flag is set. This would mean if a client and a server are attempting to establish communication via TCP, then both the client and the server would generate initial sequence numbers.

In the IPv4 protocol, the sequence number field is 4 bytes (32 bits) and uses pseudo-random number generators (PRNGs). 

Let’s look at this using an example.
In this lab, we will target a system running Windows 2012 with port 80 opened.
The two tools we will use are scapy and tshark. For the client, we will manually set the Initial Sequence Number (ISN) as 12345. For the server, we will let its’ TCP/IP stack generate its ISN. 

Let’s do this! 
First scapy
>>> send(IP(src="",dst="")/TCP(flags="S", seq=12345),count=1)
Sent 1 packets.

Now let’s analyze the tshark ouput
root@securitynik:~# tshark -n -i eth0 -Y "tcp.port==80"
Capturing on 'eth0'
2.141961 ->    TCP 54 20 > 80 [SYN] Seq=12345 Win=8192 Len=0
2.142908 ->   TCP 60 80 > 20 [SYN, ACK] Seq=3113386566 Ack=12346 Win=8192 Len=0 MSS=1460

As can be seen above, the packet from to is the client trying to establish a connection to the server. In this case Initial Sequence Number (ISN) is 12345. It also has the SYN flag set. In the response packet from to, while the ACK flag is set, the one that is of importance to us for this post is the SYN flag. In this case the server is responding to the client’s request. The server is sending its ISN as 3113386566.

Hopefully the above helps someone else to get a better understanding of the role the ISN plays in TCP communication.

Additional Readings:

No comments:

Post a Comment