Re: A Solution for sniffing

• Previous message: Faulconer, Steven M.: "Login Banner and Solaris"
• In reply to: Janssen, Steph: "RE: A Solution for sniffing"
• Next in thread: Chris Berry: "RE: A Solution for sniffing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 20 Dec 2002 20:14:23 -0500
From: David <dcorking@yahoo.fr>
To: security-basics@securityfocus.com

On Fri, 20 Dec 2002, Janssen, Steph wrote:

> I'm afraid it only brings a small amount of safety. Also the Promiscous part
> is getting a bit different.
>
> Nowadays most people who sniff, sniff using tools that poison your
> arp-cache, in your switches. http://ettercap.sourceforge.net/ is a good

>
> This makes the machine sniffing you the machine in the middle, and would it
> detect an ssh-connection, it wil "put you through" like a receptionist, that
> way maintaining two sessions. One with you, and one with the server you

Quote from above web page :-

 SSH1 support : you can sniff User and Pass, and even the data of an
 SSH1 connection. ettercap is the first software capable to sniff an
 SSH connection in FULL-DUPLEX

According to mailing lists that specilize in ssh, this was due to a
bug in SSH protocol v 1, that is not present in SSH protocol v 2

ettercap does not claim to sniff ssh v 2.

So until a bug is found in protocol v 2, you need to

* acquire an ssh tool that supports it (recent versions of sssh,
  OpenSSH and puTTy support it)

* disable protocol v 1 in this tool (preferably in client and server.)

* if your tool warns you about an unknown host key, take it
  seriously. Transmit and install trusted host keys by a seure
  channel, as the unknown host key may belong to the 'man in the
  middle' sniffer.

Although I use protocol v 2 for this reason, I am not a penetration
tester so have not proven its effectiveness myself.

I think that right now I am safe from ettercap kids any way.

David.

• Next message: girardot: "Fw: [ Announce - Chkrootkit 0.38 ]"
• Previous message: Faulconer, Steven M.: "Login Banner and Solaris"
• In reply to: Janssen, Steph: "RE: A Solution for sniffing"
• Next in thread: Chris Berry: "RE: A Solution for sniffing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NEWS] SSH Protocol Weakness Vulnerability (MITM) ... A weakness in the backward compatibility of the SSH Protocol has been ... SSH version 1.0) is unlikely to have the host key for the other protocol ... The SSH daemons advertise one of two major versions, ... (Securiteam) SUMMARY: SSH 2.5.2p2 on Tru64 4.0g ... SSH is very particular about the permissions on the $HOME/.ssh ... Always pay particular attention the the ssh SERVERs protocol usage. ... when only using the identity.pub or rsa key. ... file on the remote host to reflect the host name without domain that was ... (Tru64-UNIX-Managers) Re: Where do the random numbers come from? ... I'll look into ssh... ... >>just using an established protocol is that resources on my client are ... > the server is convinced of your identity, a malicious attacker in ... >>Of course you can seed the BouncyCastle random number generator with ... (comp.security.ssh) Re: how to react on ssh attacks? ... > I recently checked my log files of my ssh service (so far as I ... these attacks will get more sophisticated as time goes on - the ... Protocol 2,1 line in /etc/ssh/sshd_config to say Protocol 2 and then ... Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org ... (Fedora) Re: sniffing on dsl cable.. ... > I have some problems to sniff traffic over a dsl cable. ... > Obviously both nics work and i tryed also loading things like knoppix ... Perhaps because PPPoE uses a "different" layer 2 protocol. ... protocol-specific options ... (comp.os.linux.networking)