Probing the weaknesses of the TCP/IP protocols can help us to design systems to resist such attacks and to be wiser network "consumers". Such exploits are never acceptable practice outside such a controlled environment- not as a "joke" or even as a learning experience.
The network set up was as follows: a LinkSys Cable Router/DHCP Server (not connected to the Internet), a laptop running Windows 2000, a laptop running Linux and a desktop running Linux - all connected to an 8 port hub. The laptops and the desktop were all configured to acquire there IP addresses via DHCP. All three machines are normally used in the cs.cornell.edu domain, but for these experiments there was no connection to the Internet.
Before beginning, these experiments we added a new user account to the Linux desktop machine with the user name was "clueless".
We are providing you with three files. The first contains a trace of the network activity taken with Ethereal. The second contains a parital transcript of the attacker's commands. The third contains a partial transcript of the victim's commands .
Examine all three files and answer the following questions.
1) The user "clueless" telnets from the Windows laptop to the Linux desktop machine four times. The Windows laptop has the IP Address 192.168.1.103 and the Linux desktop had the IP address 192.168.1.101.
1a) What are the local ports on the Windows laptop used for each of these telnet sessions?
1b) What seems to be the algorithm for choosing a local port number? (BONUS: Does the attackers machine use the same algorithm?)
1c) What are the MAC addresses (Ethernet addresses) of the each machine?
2) Examine the first telnet session using Ethereal. The transcript of this session has been omitted from the victims log.
2a) As the victim types, how many keystrokes are sent in each TCP segment to the server?
2b) True or False: During a telnet session, if the user types a word and backspaces deleting it, it will not be sent to the telnet server.
2c) Notice how the telnet server echos the same information typed by the user. What is the one exception to this rule? Is there any advantage to this exception?
3) During this first telnet session, the user creates a file containing confidential data.
3a) What is the name of this file?
3b) What are the contents of this file?
4) The first telnet sesssion was hijacked by an attacker. We will examine the hijacking of a telnet session in a later question, but first lets consider the second telnet session. This telnet session is ended when the attacker sends a bogus FIN packet to the victims computer.
4a) Which packet(s) are sent by the attacker to end the second telnet session? How do you know?
4b) What is required in order for this bogus FIN packet to be accepted as legitimate? How would this information be obtained by an attacker?
4c) If you look in the attackers log you will see that the attacker actually had to try to end this telnet session twice. Why might the first attempt failed?
4d) Is there evidence in the Ethereal trace that the second attempt did indeed succeed. What is it?
4e)Does the victim continue to send data to the server? How do you know?
4f) The real server continues to send data to the victim. Which packets illustrate this? What happens as a result?
4g) When does the real server stop sending data to the victim?
5) The third telnet session is ended when the attacker sends a bogus RST packet to the victim.
5a) Which packet is sent by the attacker in this case?
5b) What is required for this packet to be accepted by the victim?
5c) Why might it be more difficult than with the FIN attack to know for sure if the attack succeed.
5d) In this case, is there evidence that the attack succeeded?
6) The fourth telnet session is not only ended; it is actually "hijacked" by the attacker. THis means that in addition to cutting off the victim, the attacker can actually continue sending command as if he were the legitimate user.
6a) Once a session is hijacked, the attacker could send any commands he wants (e.g. rm *, cat *.* > .rhosts, ...). In this case, the attacker does succeed in executing a command on the hijacked connection, but it is much more benign. What specifically does the attacker do?
6b) Which packet is sent from the attacker in this case? To whom is it sent?
6c) What exactly causes the victim's connection to die in this case? Is it a FIN or RST as in the previous examples?
7) When we began this set of experiments, only the Windows laptop and the Linux desktop were connected to the network. Part way through the first telnet session, the attacker plugged his laptop into a free port on the hub. Can you find evidence of the attacker joining the network even before he commences with any attacks?
8) Without even launching attacks like this. The attacker could have compromised the "clueless" account simply by seeing the password go by in plain text.
8a) What is the password on the clueless account? How do you know? (There are actually many ways to answer this question).
8b) Which set of packets in telnet session 2 show the username and password going in the clear?
8c) The attacker does actually use this sniffed password to access the clueless account and ftp the confidential file. Which packet from this ftp session show the password going in the clear?
8d) Is is easier to snoop packets from an ftp session or a telnet session? WHy?
8e) In what situations would tcp session hijacking be powerful that sniffing passwords?
8f) Which do you think is more likely to be detected?
9) Do you think it would be possible to hijack an ssh connection? What portion of the exploit would you expect to work and what portion would you expect to fail?
10)Can you find evidence in the Ethereal trace (!) to indicate which TA was the attacker? :-) If so what is it?
11) Explain some of the fundamental prooblems with TCP/IP that allow these types of attacks.
12) Can you suggest changes that would fix the problem? Do these changes introduce new problems?