From: "Russ Cox" <rsc@plan9.bell-labs.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] SSH Version2
Date: Mon, 7 Oct 2002 12:21:51 -0400 [thread overview]
Message-ID: <65010503554d731e5af01bacdf6ff2b1@plan9.bell-labs.com> (raw)
> ever heard of ettercap? the ultimate in script kiddie packet sniffing
> technology? it can break ssh1.
> http://ettercap.sourceforge.net/
that's not true. it can stand in as a man-in-the-middle
for an active attack on ssh1. that's only going to work
if you've never connected to the host before, or if you
ignore the man-in-the-middle warnings when the other end's
host key doesn't work out right. to do that requires you
are proxy arping for the victim server, which limits the
attack even further.
from their readme:
5.4.4 SSH1 MAN-IN-THE-MIDDLE
When the connection starts (remember that we are the master-of-packets, all
packets go through ettercap) we substitute the server public key with one
generated on the fly and save it in a list so we can remember that this
server has been poisoned before.
Then the client send the packet containing the session key ciphered with
our key, so we are able to decipher it and sniff the real 3DES session key.
Now we encrypt the packet with the correct server public key and forward it
to the SSH daemon.
The connection is established normally, but we have the session key !!
Now we can decrypt all the traffic and sit down watching the stream !
The connection will remain active even if we exit from ettercap, because
ettercap doesn't proxy it (like dsniff). After the exchange of the keys,
ettercap is only a spectator... ;)
russ
next reply other threads:[~2002-10-07 16:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-07 16:21 Russ Cox [this message]
2002-10-07 16:57 ` Andrew
2002-10-08 2:16 ` William K. Josephson
2002-10-08 4:14 ` Andrew
2002-10-08 4:25 ` William Josephson
-- strict thread matches above, loose matches on Subject: below --
2002-10-08 5:25 Russ Cox
2002-10-08 6:16 ` Andrew
2002-10-07 18:09 Eric Grosse
2002-10-08 2:11 ` William K. Josephson
2002-10-07 16:31 Russ Cox
2002-10-04 23:44 Russ Cox
2002-10-07 10:42 ` Jeff Sickel
2002-10-07 12:51 ` Markus Friedl
2002-10-07 16:02 ` Andrew
2002-10-07 17:00 ` Markus Friedl
2002-10-04 23:43 Adrian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65010503554d731e5af01bacdf6ff2b1@plan9.bell-labs.com \
--to=rsc@plan9.bell-labs.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).