The Mitnick attack
From Computing and Software Wiki
Contents |
Who is Mitnick?
Kevin Mitnick(born October 6, 1963) is known as "the most famous" hacker in US. He hacked into Tsutomu Shimomura's computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons.
Overview
The Mitnick attack exploited the weakness of rsh using IP spoofing and TCP sequence number prediction to gain access control of target's cmputer.
How can it happpen?
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack.
Step 1: IP spoofing (I am Tsutomu!)
Mitnick spoofed Tsutomu's IP address and sent a request to ebtablish a connection with the server.
Mitnick -----SYN-----> server : "I am Tsutomu and I want to connect to you"
The server accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the server sent an SYN/ACK packet to the target's IP address.
server -----SYN/ACK-----> target : "You requested a connection. Now I want to confirm that. Send me your confirmation please."
There are two cases now.
1. If the target did send a request, it would send back an ACK packet to the server. A trusted connection is established.
server <-----ACK----- target : "Yes, I confirm. Let's connect!"
2. If the target did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.
server <-----RST----- target : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."