Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to sniff ssh traffic at Layer3/Layer4, GIVEN you have the private key?
328 views
Skip to first unread message
Harry
Apr 28, 2012, 7:20:36 PM4/28/12
to
Hello,
Given,
1. that Alice is about to ssh to Bob;
2. that Mallory possesses Alice's private key; and
3. that Alice is on a Linux machine;
how can Mallory sniff the traffic between Alice and Bob?
If necessary, we can also assume,
4. that Mallory also has root access to Alice's machine.
I'm interested in knowing if this sniffing can be done using the standard Linux toolset, or will it require a custom C/Perl program?
I'd also like to know how, at the TCP/IP (layer4/layer3) level, I could piece together the sniffed IP packets between 2 applications communicating in plain, unencrypted text/binary? For example, if Alice and Bob are sending huge files x and y respectively to each other over an unencrypted TCP/IP pipe using, say, a simple sockets-based client/server program, then using what techniques and tools (from the Linux toolset) can I piece together the files x and y that got sent from either side?
I know, e.g., that I could snort to log the traffic, but I don't know how piece together the packets.
Many thanks,
/HS
PS: Though I mentioned Alice ssh'ing Bob above, she could just as well be scp'ing a huge file. I'm assuming the fundamental technique/process used to crack open the communication between them will be identical for both ssh and scp.
Given,
1. that Alice is about to ssh to Bob;
2. that Mallory possesses Alice's private key; and
3. that Alice is on a Linux machine;
how can Mallory sniff the traffic between Alice and Bob?
If necessary, we can also assume,
4. that Mallory also has root access to Alice's machine.
I'm interested in knowing if this sniffing can be done using the standard Linux toolset, or will it require a custom C/Perl program?
I'd also like to know how, at the TCP/IP (layer4/layer3) level, I could piece together the sniffed IP packets between 2 applications communicating in plain, unencrypted text/binary? For example, if Alice and Bob are sending huge files x and y respectively to each other over an unencrypted TCP/IP pipe using, say, a simple sockets-based client/server program, then using what techniques and tools (from the Linux toolset) can I piece together the files x and y that got sent from either side?
I know, e.g., that I could snort to log the traffic, but I don't know how piece together the packets.
Many thanks,
/HS
PS: Though I mentioned Alice ssh'ing Bob above, she could just as well be scp'ing a huge file. I'm assuming the fundamental technique/process used to crack open the communication between them will be identical for both ssh and scp.
Dag-Erling Smørgrav
Apr 30, 2012, 5:21:20 AM4/30/12
to
let's say "Bob's machine", since SSH is not a person-to-person protocol.
> 2. that Mallory possesses Alice's private key; and
> 3. that Alice is on a Linux machine;
>
> how can Mallory sniff the traffic between Alice and Bob?
He can mount a man-in-the-middle attack and hope that Alice doesn't
check the fingerprint before accepting the server's host key and that,
if Bob's machine's host key is already listed in her known_hosts file,
she not only ignores her SSH client's warning about duplicate keys but
also removes the existing entry before trying again.
In other words, exactly what he would do if he didn't have Alice's
private key. Alice's private key is only used for authentication, not
for encryption, so he doesn't gain much from knowing it - except for the
ability to log in on Bob's machine as Alice, which may or may not enable
him to snoop on Alice, depending on whether (and how well) Bob's machine
is hardened and on what Alice uses SSH for.
> If necessary, we can also assume,
> 4. that Mallory also has root access to Alice's machine.
That's easy. He can replace the SSH client with one that logs
everything, or just snoop Alice's tty.
DES
--
Dag-Erling Smørgrav - d...@des.no
> 2. that Mallory possesses Alice's private key; and
> 3. that Alice is on a Linux machine;
>
> how can Mallory sniff the traffic between Alice and Bob?
check the fingerprint before accepting the server's host key and that,
if Bob's machine's host key is already listed in her known_hosts file,
she not only ignores her SSH client's warning about duplicate keys but
also removes the existing entry before trying again.
In other words, exactly what he would do if he didn't have Alice's
private key. Alice's private key is only used for authentication, not
for encryption, so he doesn't gain much from knowing it - except for the
ability to log in on Bob's machine as Alice, which may or may not enable
him to snoop on Alice, depending on whether (and how well) Bob's machine
is hardened and on what Alice uses SSH for.
> If necessary, we can also assume,
> 4. that Mallory also has root access to Alice's machine.
everything, or just snoop Alice's tty.
DES
--
Dag-Erling Smørgrav - d...@des.no
Harry
May 4, 2012, 6:31:01 AM5/4/12
to
On Monday, April 30, 2012 2:51:20 PM UTC+5:30, Dag-Erling Smørgrav wrote:
> Harry <simon...@gmail.com> writes:
> > Given,
> > 1. that Alice is about to ssh to Bob;
>
> let's say "Bob's machine", since SSH is not a person-to-person protocol.
Fair enough.
> Harry <simon...@gmail.com> writes:
> > Given,
> > 1. that Alice is about to ssh to Bob;
>
> let's say "Bob's machine", since SSH is not a person-to-person protocol.
> > 2. that Mallory possesses Alice's private key; and
> > 3. that Alice is on a Linux machine;
> >
> > how can Mallory sniff the traffic between Alice and Bob?
>
> He can mount a man-in-the-middle attack and hope that Alice doesn't
> check the fingerprint before accepting the server's host key and that,
> if Bob's machine's host key is already listed in her known_hosts file,
> she not only ignores her SSH client's warning about duplicate keys but
> also removes the existing entry before trying again.
>
> In other words, exactly what he would do if he didn't have Alice's
> private key. Alice's private key is only used for authentication, not
> for encryption, so he doesn't gain much from knowing it - except for the
> ability to log in on Bob's machine as Alice, which may or may not enable
> him to snoop on Alice, depending on whether (and how well) Bob's machine
> is hardened and on what Alice uses SSH for.
>
> > If necessary, we can also assume,
> > 4. that Mallory also has root access to Alice's machine.
>
> That's easy. He can replace the SSH client with one that logs
> everything, or just snoop Alice's tty.
>
> DES
> --
> Dag-Erling Smørgrav - d...@des.no
Although the subject of this post mentions 'ssh', I'd like the equivalent info for SSL as well.
I don't mind writing some brief code in C/Perl if necessary, but I'm hoping I will not have to understand all the gory details of SSH and SSL protocols.
0 new messages