1.Attacker interacts
with targeted trusting server to determine
predictability of initial sequence number
2.Attacker launches a
denial-of-service attack (eg. SYN flood or smurf
attack) against trusted system to force it not to respond to a spoofed TCP connection
3.Attacker rsh to targeted trusting server using
spoofed IP address of trusted server
4.Trusting server
sends an SYN-ACK packet to the unresponsive
trusted server
5.Attacker sends an
ACK packet to trusting server with a guess at the
sequence number. If ISN is correct, a connection
is made.
6.Although attacker
cannot initially see reply packets from trusting
server, attacker can issue command to append “++” to hosts.equiv or .rhosts file. Trusting server will now trust all machines. IP spoofing is no longer needed