Ghost in the Wires_ My Adventures as the World's Most Wanted Hacker - Kevin Mitnick [161]
In the IP spoofing attack, the attacker’s first step is to look for other systems that are likely to be trusted by the root account on the target server, meaning a user logged in to root on a trusted system can log in to the root account on the target server without supplying a password.
It wasn’t too difficult in this case. By using the “finger” command, the attacker was able to identify that our victim was connected to the target system from another computer located in the same local area network. It was very likely that these two systems trusted each other for root access. The next step was to establish a connection to the target system by forging the trusted computer’s IP address.
This is where it got a bit tricky. When two systems are establishing an initial connection over TCP, a series of packets are sent back and forth to create a “session” between them. This is called a “three-way handshake.” During the handshake, the target system transmits a packet back to the machine trying to establish the connection. Because the targeted server believes it’s responding to the real system’s request to establish a connection, the handshake process fails because the attacker’s system never receives the packet to complete the three-way handshake.
Enter the TCP sequence number: the protocol uses sequence numbers to acknowledge the receipt of data. If the attacker could predict the sequence number of the packet being sent from the target system to the real server during the initial handshake, he could complete the process by sending an acknowledgment packet (with the correct sequence number), and establish a connection appearing to be from the trusted machine.
This effectively established a session by guessing the TCP sequence number. Because the targeted system was fooled into thinking it had established a connection with a trusted machine, it allowed the attacker to exploit the trust relationship, and bypass the usual password requirement—allowing full access to the machine. At this point, the attacker could write over the current .rhosts file on the target machine, allowing anyone access to the root account without a password.
In summary, the attack relied on the attacker being able to predict the TCP sequence number of the packet sent by the target computer at the time of the initial contact. If an attacker could successfully predict the TCP sequence number that the target would use during the handshaking process, the attacker could impersonate a trusted computer and bypass any security mechanisms that rely on the user’s IP address.
I told JSZ I had read the article. “But it’s theoretical. Hasn’t been done yet.”
“Well, my friend, methinks it has. We’ve already developed the tool, and it works—amazingly well!” he said, referring to a piece of software that he and some associates spread throughout Europe had been working on.
“No way! You’re kidding me!”
“I’m not.”
I asked him if I could have a copy.
“Maybe later,” he said. “But I’ll run it for you anytime you want. Just give me a target.”
I shared with JSZ the details of my hack into Mark Lottor’s server and his interesting connection with Tsutomu Shimomura, using his nickname. I explained how I’d hacked into UCSD and sniffed the network until someone named “ariel” connected to Shimomura’s server, after which I was finally able to get in. “Shimmy somehow realized that one of the people who had access to his computer had been hacked, and he booted me off after several days,” I said.
I had seen some of the security bugs Shimmy had reported to Sun and DEC and been impressed with his bug-finding skills. In time I would learn that he had shoulder-length straight black hair, a preference for showing up at work wearing sandals and “raggedy-ass jeans,” and a passion for cross-country skiing. He sounded