The problem with MITM attacks (unless I'm totally misunderstanding Dug's
tool) is that the client has to make a bad choice, i.e. continue to
conenct while their SSH client is screaming "something funny might be
happening." If you're trying to catch them connecting to *your* SSHD,
then no problem, you just share the server keys with the sniffing app.
However, many, many rootkits I've seen simply include their own SSHD, with
it's own keys. If the attacker is paying attention at all, he'll notice
that his client complains.

                                        Ryan

On Mon, 14 Jan 2002, Todd Garrison wrote:

> Another alternative could be SSH-MITM which is part of the dsniff suite
> (written by Dug Song I believe.) Website for it is down, but I am sure
> there are still copies floating around.
>
> For those who haven't read up on dsniff - the ssh-mitm portion (one of many
> utilities in dsniff) is essentially a transparent proxy which performs a
> man-in-the-middle attack via arp cache poisoning (is that right?). I don't
> know how it would affect attacks against the sshd daemon itself though - in
> that context it might not work. But assuming that your SSH implementation
> is secure (roll the dice - if you are looking for 0-day exploits) it may be
> yet another tool for gathering keystroke data when ssh is used by an
> attacker to avoid NIDS detection/packet monitoring *after* gaining access.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]