Submitted by Anonymous (not verified) on Thu, 03/06/2014 - 00:00
Forums

Hi,

Does IceBreak use a timestamp as session token?

Niels Liisberg

Thu, 03/06/2014 - 00:00

Hi,

It is correct that IceBreak uses a timestamp as session token. However it is only a hash number for the real session. Also the timestamp is not sequential. It is also correct that you “only” have a million possible sessions, however that is pr second. Our random seed algorithm is: pick a time. Then pick a number between 0 and 999999 for within that second.

You can even let the client's IP address go into that equation by setting “bind client TCP/IP to session” to *YES (see screen shot).

Let's say you want to guess a session – lets just say, you know, it starts today then it will be:

24x60x60x100000 which gives a finite number of 86.4000.000.000 session pr day. However the client can pick any session id they like which gives the constraint value of:

9999x12x30x24x60x60x1000000 which is:

3,11 x1+ ^17 …some thing like  31.100.889.800.000.000

Now. Tomcat is using an integer as seed which gives a finite number of 2^32 which gives 8.589.934.592 possible sessions:
http://docs.oracle.com/javase/7/docs/api/java/lang/Integer.html

So pick a session ..

Best regards,
Niels Liisberg