The Mitnick attack

From Computing and Software Wiki

Revision as of 20:36, 10 November 2007 by Luongqt (Talk)
Jump to: navigation, search

Contents

Who is Mitnick?

Kevin Mitnick(born October 6, 1963) is known as "the most famous" hacker in US. He hacked into Tsutomu Shimomura's computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons.

Overview

Kevin Mitnick used IP spoofing, TCP sequence number prediction to gain access control of target's computer. The Mitnick attack is a form of Man-in-the-middle attack. It corrupted the three-way handshake.

How did it happpen?

First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack.

Preparation

Mitnick was able to predict the sequence number in the TCP header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.

Step 1: SYN flooding

Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests.

Step 2: Hijacking

Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.

Mitnick -----SYN-----> target : "I am your server and I want to connect to you"

The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.

target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."

There are two cases now.

1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.

target <-----ACK----- server : "Yes, I confirm. Let's connect!"

2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.

target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."

Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.

 Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"

The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.

Step 3: Cleaning up

After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.

Personal tools