Re: Steady increase in ssh scans

From: Adam Manock (abmanock@earthlink.net)
Date: 02/11/02


Date: Mon, 11 Feb 2002 14:39:43 -0500
To: <incidents@securityfocus.com>
From: Adam Manock <abmanock@earthlink.net>


>Here's my concern. With worms like nimda, lion, and others, sniffing is a
>major factor in analyzing the worm's propogation and exploitatoin
>methods. An ssh based worm could take sniffing out of the picture (the
>attack is over an encrypted service) and reduce forensic analysis to
>artifact examination.

Looks like we may need some honeypots...

The encrypted activities of a hypothetical SSH worm could be logged using a
honeypot and a network sniffing logger, one that just so happens to have
the honeypot's private SSH key. SSHmitm of the dsniff toolkit might provide
a good place to start with how to decrypt and log a sniffed SSH connection.
An alternative approach would be a deliberately man in the middle proxy a
SSH honeypot and make the proxy also "look" vulnerable to the worm. The
proxy would do then be able to cleartext log all of the worm generated
traffic, encrypted or not.

Adam

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Steady increase in ssh scans
    ... have a repeating pattern ... or more importantly "in-my-opinion" for administration by the attacker or ... the size of ssh the packets leaving the compromised host ... An ssh based worm could take sniffing out of the picture (the ...
    (Incidents)
  • Re: Is SSH worth it??
    ... > On an internal network that is switched is it ... > worth going to SSH and SCP?????? ... > real threat is sniffing the traffic. ...
    (Security-Basics)
  • Re: known_hosts vulnerability?
    ... > talking about an SSH weakness involving the known_hosts file. ... keys, etc) on multiple hosts. ... if an account is already ... then there are far more effective ways for a worm to gain ...
    (SSH)
  • Re: A Solution for sniffing
    ... You could employ an IP level encryption using IPSec or tunnel your data ... through SSH to another machine that they aren't going to be sniffing and ... Then atleast whilst you try and solve who's sniffing your packets, ...
    (Security-Basics)
  • Re: x11 apps traffic not encrypted
    ... > what interface he's looking at; however, as a blanket statement, this is ... If he's sniffing on the client side in such a way as to see ... > the SSH client and the X server. ...
    (comp.security.ssh)