The Mitnick attack

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
Line 2: Line 2:
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons.
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons.
== Overview ==
== Overview ==
-
The Mitnick attack exploited the weakness of [http://en.wikipedia.org/wiki/Remote_Shell rsh] using [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing] and [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP sequence number] prediction to gain access control of target's cmputer.
+
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].
-
== How can it happpen? ==
+
== How did it happpen? ==
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack.
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack.
 +
==== Preparation ====
 +
Mitnick was able to predict the sequence number in the TCP header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.
-
== Step 1: IP spoofing (I am Tsutomu!)==
+
==== Step 1: SYN flooding ====
-
Mitnick spoofed Tsutomu's IP address and sent a request to ebtablish a connection with the server.
+
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests.
-
          Mitnick -----SYN-----> server : "I am Tsutomu and I want to connect to you"
+
==== Step 2: Hijacking ====
 +
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.
-
The server accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the server sent an SYN/ACK packet to the target's IP address.
+
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"
-
          server -----SYN/ACK-----> target : "You requested a connection. Now I want to confirm that. Send me your confirmation please."
+
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.
 +
 
 +
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."
There are two cases now.
There are two cases now.
-
1. If the target did send a request, it would send back an ACK packet to the server. A trusted connection is established.
+
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.
-
          server <-----ACK----- target : "Yes, I confirm. Let's connect!"
+
target <-----ACK----- server : "Yes, I confirm. Let's connect!"
 +
 
 +
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.
 +
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."
-
2. If the target did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.
+
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.
-
          server <-----RST----- target : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."
+
  Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"
 +
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.
 +
==== Step 3: Cleaning up ====
 +
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.

Revision as of 20:36, 10 November 2007

Contents

Who is Mitnick?

Kevin Mitnick(born October 6, 1963) is known as "the most famous" hacker in US. He hacked into Tsutomu Shimomura's computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons.

Overview

Kevin Mitnick used IP spoofing, TCP sequence number prediction to gain access control of target's computer. The Mitnick attack is a form of Man-in-the-middle attack. It corrupted the three-way handshake.

How did it happpen?

First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack.

Preparation

Mitnick was able to predict the sequence number in the TCP header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.

Step 1: SYN flooding

Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests.

Step 2: Hijacking

Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target. 

Mitnick -----SYN-----> target : "I am your server and I want to connect to you"

The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server. 

target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."

There are two cases now.

1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established. 

target <-----ACK----- server : "Yes, I confirm. Let's connect!"

2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped. 

target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."

Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake. 

 Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"

The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.

Step 3: Cleaning up

After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.

Retrieved from "http://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attack"
Personal tools