The Mitnick attack
From Computing and Software Wiki
Line 18: | Line 18: | ||
==The attack== | ==The attack== | ||
+ | [[Image:Mitnickattack.JPG|frame|right|The Mitnick attack]] | ||
The Mitnick attack has five general steps: | The Mitnick attack has five general steps: | ||
====Step 1: Information gathering==== | ====Step 1: Information gathering==== | ||
Line 37: | Line 38: | ||
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1) | There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1) | ||
== Prevention== | == Prevention== | ||
- | + | Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before. | |
==Comments== | ==Comments== | ||
The Mitnick attack was a classic case. Mitnick took advantage of yet-to-be-known weaknesses. After his case, computer security was taken seriously. New tools was developing to improve security. SSH is used to replace RSH. UNIX systems are built with security in mind. | The Mitnick attack was a classic case. Mitnick took advantage of yet-to-be-known weaknesses. After his case, computer security was taken seriously. New tools was developing to improve security. SSH is used to replace RSH. UNIX systems are built with security in mind. | ||
Line 50: | Line 51: | ||
[http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)] | [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)] | ||
- | [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the | + | [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)] |
== External links == | == External links == | ||
Line 58: | Line 59: | ||
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt''] | Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt''] | ||
+ | |||
+ | ==Other information security topics== |
Revision as of 17:39, 4 December 2007
Contents |
Who is Mitnick?
Kevin Mitnick(born October 6, 1963) is known as "the most famous" hacker in US. He hacked into Tsutomu Shimomura's computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm Mitnick Security Consulting.
Overview
Kevin Mitnick used IP spoofing, TCP(Internet Protocol Suite) sequence number prediction to gain access control of target's computer. The Mitnick attack is a form of Man-in-the-middle attack. It corrupted the three-way handshake.
Three-way handshake
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a three-way handshake. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:
Step 1: SYN request Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.
Step 2: SYN/ACK response Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.
Step 3: ACK or RESET response If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.
The attack
The Mitnick attack has five general steps:
Step 1: Information gathering
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.
Determine the TCP sequence number generator’s behavior
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.
Determine a trusted relationship between X-Terminal and Server
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.
Step 2: The flood
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.
Step 3: Trusted relationship hijacking
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.
Step 4: Remote command pump
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were echo + + >> /.rhosts. The ++ allowed any computers connect to X-Terminal without being verified.
Step 5: Clean up
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.
Detection
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems (IDS). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, TCP wrappers and tripwire. For further details, refer to the book Network Intrusion Detection, an analyst's hand book by Stephen Northcutt (ISBN: 0-7357-0868-1)
Prevention
Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before.
Comments
The Mitnick attack was a classic case. Mitnick took advantage of yet-to-be-known weaknesses. After his case, computer security was taken seriously. New tools was developing to improve security. SSH is used to replace RSH. UNIX systems are built with security in mind.
Further readings
Open Systems Interconnection Basic Reference Model (OSI Model)
Tsutomu Shimomura (the victim of the attack)
External links
Amazon.com: Network intrusion detection, an analyst's handbook by Stephen Northcutt