The Mitnick attack
From Computing and Software Wiki
Line 2: | Line 2: | ||
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. | [http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. | ||
== Overview == | == Overview == | ||
- | + | Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. | |
- | == How | + | == How did it happpen? == |
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack. | First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack. | ||
+ | ==== Preparation ==== | ||
+ | Mitnick was able to predict the sequence number in the TCP header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server. | ||
- | == Step 1: | + | ==== Step 1: SYN flooding ==== |
- | Mitnick | + | Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests. |
- | + | ==== Step 2: Hijacking ==== | |
+ | Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target. | ||
- | + | Mitnick -----SYN-----> target : "I am your server and I want to connect to you" | |
- | + | The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server. | |
+ | |||
+ | target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please." | ||
There are two cases now. | There are two cases now. | ||
- | 1. If the | + | 1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established. |
- | + | target <-----ACK----- server : "Yes, I confirm. Let's connect!" | |
+ | |||
+ | 2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped. | ||
+ | target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now." | ||
- | + | Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake. | |
- | + | Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!" | |
+ | The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target. | ||
+ | ==== Step 3: Cleaning up ==== | ||
+ | After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server. |
Revision as of 20:36, 10 November 2007
Contents |
Who is Mitnick?
Kevin Mitnick(born October 6, 1963) is known as "the most famous" hacker in US. He hacked into Tsutomu Shimomura's computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons.
Overview
Kevin Mitnick used IP spoofing, TCP sequence number prediction to gain access control of target's computer. The Mitnick attack is a form of Man-in-the-middle attack. It corrupted the three-way handshake.
How did it happpen?
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack.
Preparation
Mitnick was able to predict the sequence number in the TCP header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.
Step 1: SYN flooding
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests.
Step 2: Hijacking
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."
There are two cases now.
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.
target <-----ACK----- server : "Yes, I confirm. Let's connect!"
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.
Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.
Step 3: Cleaning up
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.