The Mitnick attack
From Computing and Software Wiki
Contents |
Who is Mitnick?
Kevin Mitnick(born October 6, 1963) is known as "the most famous" hacker in US. He hacked into Tsutomu Shimomura's computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm Mitnick Security Consulting.
Overview
Kevin Mitnick used IP spoofing, TCP(Internet Protocol Suite) sequence number prediction to gain access control of target's computer. The Mitnick attack is a form of Man-in-the-middle attack. It corrupted the three-way handshake.
How did it happpen?
Preparation
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. Mitnick was able to predict the sequence number in the TCP header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.
Step 1: SYN flooding
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests. When the server is flooded, it is considered muted, which means it cannot respond to any other requests.
Step 2: Hijacking
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."
There are two cases now.
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.
target <-----ACK----- server : "Yes, I confirm. Let's connect!"
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.
Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.
Step 3: Cleaning up
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.
Detection
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems (IDS). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, TCP wrappers and tripwire. For further details, refer to the book Network Intrusion Detection, an analyst's hand book by Stephen Northcutt (ISBN: 0-7357-0868-1)
Prevention
The Mitnick attack was possible due to weaknesses in early implementation of TCP