I was reading up on why TCP ISNs need to be randomized, which led me to this wri

Question

I was reading up on why TCP ISNs need to be randomized, which led me to this write up by Tsutomu Shimomura. I understood how IP address spoofing and predicting the ISN helped the attacker establish a one way connection to the 'x-terminal'. But after that the attacker sends this data - rsh x-terminal "echo + + >>/.rhosts. He doesn't explain what this did and how he was able to get root access to the 'x-terminal'. I understand that rsh allows you to execute commands on a remote host. What I don't understand is what exactly does the command echo + + >>/.rhosts do?

Explanation / Answer

This file is a configuration file for some kind of antique unsecured ancestor of ssh: rsh
This antique tool relies its security on TCP three-way handshake in order to trust that a remote host is really who it pretends to be. Due to ISN prediction, you already know this was a weak way of authentication.

Then, the same way that nowadays we can use private keys to allow password-less access to a system, in those days you could configure rsh to ease your systems remote administration by filling the list of remote hosts and users allowed to connect to you system (just hostnames, no asymetric key involved, remember? Trusting the underlying TCP protocol...).

And here, what Mitnick does is simply to put a generic mask allowing any user from any host to connect..

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.