Basically, the attack can be detected by both network-based and host-based intrusion detection systems ( IDS). However, a security analyst can combine several mechanisms to detect the attack indirectly. There are no specific mechanisms to detect the Mitnick attack directly. Mitnick sent RESET responses to the Server to cancel all his SYN requests. The ++ allowed any computers connect to X-Terminal without being verified. To be precise, they were "echo + + > /.rhosts". He pumped commands from his computer to Shimomura’s computer. Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. Shimomura’s computer was considered hacked by finishing this step. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Because the Server was muted, it did not receive the SYN/ACK response. X-Terminal sent a SYN/ACK response to the Server. He used an arbitrary number as the Server’s TCP sequence number. Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. This is a type of Denial of Service attack. The result is that the Server could not respond to any other requests. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. To create half-open SYN requests, he used routable but not active IP address. Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers. The latter number was greater than the previous one by 128000.ĭetermine a trusted relationship between X-Terminal and Serverīefore the attack, Mitnick hacked into Shimomura’s website. It turned out that the numbers were not random at all. He found there is a pattern between two successive TCP sequence numbers. Then he sent RESET response to keep the X-Terminal from being filled up. Mitnick sent SYN request to X-Terminal and received SYN/ACK response. The Mitnick attack has five general steps:īefore the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.ĭetermine the TCP sequence number generator’s behavior Otherwise, it sends a RESET response to drop the connection request. If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Three-way handshake has three steps:Ĭomputer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.Ĭomputer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. server and client), a connection can be established by a three-way handshake. If there is a trusted relationship between two computers (e.g. Now he is a security consultant in his own firm Mitnick Security Consulting. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prison. In his early age, he was on the FBI most wanted cyber criminal list. He is an expert in social engineering, which helped him to obtain many classified information used for his hacking hobby. Kevin Mitnick(born October 6, 1963) is known as "the most famous" hacker in United States of America.