CAPEC-321: TCP Sequence Number Probe

Overview

CAPEC-321 (TCP Sequence Number Probe) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

What the attacker needs

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources required

A tool capable of sending and receiving packets from a remote system.

Consequences

What a successful CAPEC-321 attack can achieve.

Read Data

Affects: Confidentiality

Bypass Protection Mechanism, Hide Activities

Affects: Confidentiality, Access Control, Authorization

The CWE weaknesses that CAPEC-321 exploits.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

How this attack relates to others in the CAPEC hierarchy.

Parent

CAPEC-312: Active OS Fingerprinting

Frequently asked questions

Common questions about CAPEC-321.

What is CAPEC-321?

This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is to send a probe packet to an open port on the target and then compare the how the Sequence Number generated by the target relates to the Acknowledgement Number in the probe packet. Different operating systems assign Sequence Numbers differently, so a fingerprint of the operating system can be obtained by categorizing the relationship between the acknowledgement number and sequence number as follows: 1) the Sequence Number generated by the target is Zero, 2) the Sequence Number generated by the target is the same as the acknowledgement number in the probe, 3) the Sequence Number generated by the target is the acknowledgement number plus one, or 4) the Sequence Number is any other non-zero number.

What weaknesses does CAPEC-321 target?

CAPEC-321 exploits 1 CWE weakness, including CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

How severe is CAPEC-321?

MITRE rates CAPEC-321 as Low severity with medium likelihood of attack.

References

MITRE CAPEC definition (CAPEC-321) (opens in a new tab)

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.