The Mitnick attack

From Computing and Software Wiki

Revision as of 23:28, 12 November 2007 by Luongqt (Talk)
Jump to: navigation, search

Contents

Who is Mitnick?

Kevin Mitnick(born October 6, 1963) is known as "the most famous" hacker in US. He hacked into Tsutomu Shimomura's computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm Mitnick Security Consulting.

Overview

Kevin Mitnick used IP spoofing, TCP(Internet Protocol Suite) sequence number prediction to gain access control of target's computer. The Mitnick attack is a form of Man-in-the-middle attack. It corrupted the three-way handshake.

How did it happpen?

Preparation

First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. Mitnick was able to predict the sequence number in the TCP header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.

Step 1: SYN flooding

Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests. When the server is flooded, it is considered muted, which means it cannot respond to any other requests.

Step 2: Hijacking

Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.

Mitnick -----SYN-----> target : "I am your server and I want to connect to you"

The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.

target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."

There are two cases now.

1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.

target <-----ACK----- server : "Yes, I confirm. Let's connect!"

2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.

target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."

Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.

 Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"

The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.

Step 3: Cleaning up

After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.

Detection

There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems (IDS). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, TCP wrappers and tripwire. For further details, refer to the book Network Intrusion Detection, an analyst's hand book by Stephen Northcutt (ISBN: 0-7357-0868-1)

Prevention

The Mitnick attack was possible due to weaknesses in early implementation of TCP

External links

An interview with Mitnick

Personal tools