On February 19th, 1995, Kevin Mitnick was arrested in Raleigh, NC on charges
of violating the Cellular Piracy Act by making cellular phone calls on a
cloned phone. His arrest was precipitated by the intrusion into the system
of computer security consultant Tsutomu Shimomura on Christmas Day in 1994.
While much was written by the media concerning Mitnick's alleged criminal
career, no technical description of the techniques used for the intrusion was
published. Fortunately, Shimomura's system logged the intrusion, and his
description of the intrusion was e-mailed to various security administrators
on the internet.
This article is a technical description of the methods used to infiltrate
Shimomura's system. The techniques described can easily be used to penetrate
a UNIX system using TCP sequence number prediction. To do so requires a
program (not described here, but easily implemented) to generate TCP packets.
An understanding of TCP protocol data units is useful in following the
discussion. A great deal of the following information is taken from the
description of the break in provided by Shimomura. Thanks and credit where
credit is due. Now on to the hack.
The following names are used to describe the various machines involved:
server = a SPARCstation running Solaris 1 serving an X terminal
X-terminal = a diskless SPARCstation running Solaris 1
target = the apparent primary target of the attack
The first step of the attack involved determining the machine configuration of the target system. The IP spoofing attack began with the following commands
being issued from a machine identified as toad.com:
finger -l @target
finger -l @server
finger -l @X-terminal
finger -l root@server
finger -l root@X-terminal
The finger commands generate a display of the user's login name, real name,
terminal name, write status, idle time, login time, office location and office
phone number. The -l option displays the user's home directory, home phone
number, login shell, and contents of the .forward, .plan, and .project files
for the user's home directory, if they exist.
showmount -e X-terminal
The showmount command displays the names of all hosts that have NFS file
systems mounted on the X-terminal machine. The -e option shows the export
list for X-terminal.
rpcinfo -p X-terminal
The rpcinfo command displays the connections of the port mapper of X-terminal.
The -p option displays the programs that are currently being tracked by the
port mapper.
The above commands would indicate whether some kind of trust relationship
existed between the systems, and how that trust relationship could be
exploited with an IP spoofing attack.
The source port numbers for the showmount and rpcinfo commands indicated that
the attacker was logged in as root on toad.com.
The second step involved generating a large number of TCP initial connection
requests (SYNs) in order to fill up the connection queue for port 513 on the
server with "half-open" connections. This ensures that the server will not
respond to any new connection requests. In particular, it will not generate
TCP RSTs in response to unexpected SYN-ACKs. Port 513 is a privileged port,
and will allow server.login to be used as the putative source for an address
spoofing attack on the UNIX "r-services" (rsh, rlogin). 130.92.6.97 is a
non-existent address that will not generate a response to packets sent to it.
Below is a portion of Shimomura's log showing some of the generated SYN
records:
14:18:22.516699 130.92.6.97.600 > server.login: S 1382726960:1382726960(0) win 4096
14:18:22.566069 130.92.6.97.601 > server.login: S 1382726961:1382726961(0) win 4096
14:18:22.744477 130.92.6.97.602 > server.login: S 1382726962:1382726962(0) win 4096
14:18:22.830111 130.92.6.97.603 > server.login: S 1382726963:1382726963(0) win 4096
The server generated SYN-ACKs for the first eight SYN requests before the
connection queue filled up. The machine would periodically retransmit the
SYN-ACKs as there is no ACK response to them.
The third step involved sending a series of SYN packets to determine the
behavior of the TCP sequence number generator. This allows for the prediction
of what the sequence number of the SYN-ACK from the target machine would be,
and for subsequent simulation of the response to that machine. Note that the
initial sequence numbers increment by one for each connection, indicating that
the SYN packets are not being generated by the system's TCP implementation.
This cause the generation of TCP RSTs in response to each unexpected SYN-ACK,
so the connection queue on x-terminal does not fill up. The source machine
for the connection requests is apollo.it.luc.edu.
Below is a portion of the log showing two of the server's responses:
14:18:25.906002 apollo.it.luc.edu.1000 > x-terminal.shell: S 1382726990:1382726 990(0) win 4096
14:18:26.094731 x-terminal.shell > apollo.it.luc.edu.1000: S 2021824000:2021824 000(0) ack 1382726991 win 4096
14:18:26.172394 apollo.it.luc.edu.1000 > x-terminal.shell: R 1382726991:1382726 991(0) win 0
14:18:26.507560 apollo.it.luc.edu.999 > x-terminal.shell: S 1382726991:13827269 91(0) win 4096
14:18:26.694691 x-terminal.shell > apollo.it.luc.edu.999: S 2021952000:20219520 00(0) ack 1382726992 win 4096
Note that the SYN-ACK packet sent by X-terminal has an initial sequence number that is 128,000 greater than the previous one.
The fourth step involved sending a false SYN connection request to the target machine. The SYN appears to be from server.login, a trusted host, using the
predicted sequence number to simulate the trusted host. X-terminal will reply
to server with a SYN-ACK, which must be ACK'd in order for a connection to be
opened. Because server is ignoring packets sent to server.login, because the
connection queue is full, the ACK must be forged as well.
TCP uses a three way handshake to establish communications between a client
and a server. The SYN bit in the control field of the TCP protocol data unit
(PDU) is used to establish initial sequence numbers. The first PDU does not
acknowledge any data. The second PDU has both the SYN and the ACK bits set.
The third PDU acknowledges the second PDU and has the ACK bit set. The three
way handshake is illustrated below:
Client Server
1st SYN (seq #1) - - - - - - - - > Receives SYN - - - - |
|
| - Receives SYN-ACK < - - - - - Sends SYN-ACK (seq #?) - - - |
|
| - Sends ACK (seq # = ?+1) - - - - - > Connection established!
Below is a portion of the log containing the generated ACK:
14:18:36.245045 server.login > x-terminal.shell: S 1382727010:1382727010(0) win 4096
14:18:36.755522 server.login > x-terminal.shell: . ack 2024384001 win 4096
The spoofing machine now has a one-way connection to x-terminal.shell which
appears to be from server.login. It can maintain the connection and send data
provided that it can properly ACK any data sent by x-terminal.
The fifth step requires the attacker to send the UNIX command
rsh x-terminal "echo + + >>/.rhosts"
to the target machine. This command generates a line of two plus signs and
either appends that line to the end of the .rhosts file in the root directory
of the target machine, or creates the file if it does not exist. The line
with two plus signs in the .rhosts file allows any user to perform remote
logins from any host without being prompted for a password. The attacker now
have root access to the target machine without password authorization
prompting.
Finally the spoofed connection is shut down and TCP RSTs are sent to the
server machine to reset the "half-open" connections and empty the connection
queue for server.login so that server.login can again accept connections.
Below is a portion of the log containing the RSTs:
14:18:52.298431 130.92.6.97.600 > server.login: R 1382726960:1382726960(0) win 4096
14:18:52.363877 130.92.6.97.601 > server.login: R 1382726961:1382726961(0) win 4096
14:18:52.416916 130.92.6.97.602 > server.login: R 1382726962:1382726962(0) win 4096
14:18:52.476873 130.92.6.97.603 > server.login: R 1382726963:1382726963(0) win 4096
The information in this article is for demonstration purposes only.
Tsutomu Shimomura's e-mail is tsutomu at ucsd.edu.