Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitnick Attack.

Published byMehmed Stević Modified over 6 years ago

Similar presentations

Presentation on theme: "Mitnick Attack."— Presentation transcript:

1 Mitnick Attack

2 REFERENCE Ghost in the wire Kevin mitnick & Shimomura Tsutomu
Baike.baidu.com 下村勉

3 WHO IS THIS GUY?

4 IDENTIFYING TRUST RELATIONSHIPS
Mitnick used IP spoofing to identify the trust relationship. 14:09:32 toad.com# finger 14:10:21 toad.com# finger 14:10:50 toad.com# finger -l 14:11:07 toad.com# finger 14:11:38 toad.com# showmount -e x-terminal 14:11:49 toad.com# rpcinfo -p x-terminal 14:12:05 toad.com# finger -l The finger command checks if anyone logon. The showmount provides information about the file systems mounted with Network File System (NFS). Rpcinfo lists the available rpc-services.

5 Server silenced x-terminal Server Send SYN/ACK
Send SYN/ACK-ACK Open 20 connections to predict the sequence no. Send SYNs Send RESETs to empty Server connection queue Attacker

6 SYN-Flooding Six minutes later, a flurry of TCP-SYN (initial connection requests) from to port 513 (login) on server. The purpose of these SYNs is to fill the connection queue for port 513 on server with "half-open" connections so it will not respond to any new connection requests.  In particular, it will not generate TCP RSTs in response to unexpected SYN-ACKs. Finally the server is being silenced.

7 SYN-Flooding (cont.) 14:18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win :18: > server.login: S : (0) win 4096

8 SYN-Flooding (cont.) 20 connection attempts from apollo.it.luc.edu to x-terminal.shell. The purpose of these attempts is to determine the behavior of x-terminal's TCP sequence number generator. +++ 14:18: apollo.it.luc.edu.1000 > x-terminal.shell: S : (0) win 4096 14:18: x-terminal.shell > apollo.it.luc.edu.1000: S : (0) ack win 4096 14:18: apollo.it.luc.edu.1000 > x-terminal.shell: R : (0) win 0 14:18: apollo.it.luc.edu.999 > x-terminal.shell: S : (0) win 4096 14:18: x-terminal.shell > apollo.it.luc.edu.999: S : (0) ack win 4096 14:18: apollo.it.luc.edu.999 > x-terminal.shell: R : (0) win 0

9 SYN-Flooding (cont.) The sequence number in x-terminal’s SYN/ACK from the second set packet is The sequence number in the preceding set's SYN/ACK is =128,000 As we trace down the rest of set of packets we found that 128,000 is repeatable. We know that anytime we send a SYN to x-terminal, the SYN/ACK will come back 128,000 or higher, as long as it is the next connection.

10 Setting Up The System Compromise/ Hijacking
A forged SYN (connection request), allegedly from server.login to x-terminal.shell. The assumption is that x-terminal probably trusts server, so x-terminal will do whatever server (or anything masquerading as server) asks. x-terminal then replies to server with a SYN-ACK, which must be ACK'd in order for the connection to be opened. As server is ignoring packets sent to server.login, the ACK must be forged as well. 14:18: server.login > x-terminal.shell: S : (0) win :18: server.login > x-terminal.shell: . ack win 4096

11 Setting Up The System Compromise/ Hijacking (cont.)
In the first line x-terminal is stimulated by server to open the connection. Server never sees the SYN/ACK so that is why it is missing from the trace. However, he knows to add 128,000 plus 1 to the initial sequence number that x-terminal proposed when sending the SYN/ACK. After the lone ACK, the connection is open. With the real server disabled by the SYN flood, the trusted connection is used to execute the following UNIX command with rshell: rsh x-terminal "echo + + >>/.rhosts".

12 Setting Up The System Compromise/ Hijacking (cont.)
The result of this causes x-terminal to trust, as root, all computers and all users on these computers (as already discussed). That trace is as follows: 14:18: server.login > x-terminal.shell: P 0:2(2) ack 1 win 4096 14:18: server.login > x-terminal.shell: P 2:7(5) ack 1 win 4096 14:18: server.login > x-terminal.shell: P 7:32(25) ack 1 win 4096 At this point, the connection is terminated by sending a FIN to close the connection. Mr. Mitnick logs on to x-terminal from the computer of his choice and can execute any command. The target system, x-terminal, is compromised: 14:18: server.login > x-terminal.shell: . ack 2 win 4096 14:18: server.login > x-terminal.shell: . ack 3 win 4096 14:18: server.login > x-terminal.shell: F 32:32(0) ack 3 win 4096

13 Setting Up The System Compromise/ Hijacking (cont.)
If Mitnick were now to leave the computer named server in its mute state and someone else were to try to rlogin, he would fail, which might bring unwanted attention to the situation. Therefore, the connection queue is emptied with a series of RESETs. 14:18: > server.login: R : (0) win :18: > server.login: R : (0) win :18: > server.login: R : (0) win :18: > server.login: R : (0) win :18: > server.login: R : (0) win 4096

14 Server silenced x-terminal Server Send SYN/ACK
Send SYN/ACK-ACK Open 20 connections to predict the sequence no. Send SYNs Send RESETs to empty Server connection queue Attacker

15 THE END

Download ppt "Mitnick Attack."

Similar presentations

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Using tcpdump. tcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. tcpdump operates.

Using tcpdump. tcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. tcpdump operates.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University.

IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS Security Engineering Spring 2003 San Jose State University.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
Communication Protocols III Tenth Meeting. Connections in TCP A wants to send to B. What is the packet next move? A travels through hub and bridge to.

Communication Protocols III Tenth Meeting. Connections in TCP A wants to send to B. What is the packet next move? A travels through hub and bridge to.

Similar presentations

Ads by Google