[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.

Subject: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
From: "cronus" <cronus@xxxxxx>
Date: Mon, 13 Aug 2001 21:49:08 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

If you are careful when using ssh you can avoid falling victim
to this monkey-in-the-middle attack. Simply issue that command
as follows;

ssh -l cronus -2 66.70.14.70

Rather than...

ssh -l cronus -2 www.whitedust.net

ARP poisoning can be made useless by using IP addresses over
hostnames whenever possible. If I am wrong - someone please
tell me

... cronus ...
... mark ...
----- Original Message -----
From: Stuart Robinson <stuart@xxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: 10 August 2001 10:32
Subject: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.


> Michael's combination of apparent knowledge and alarm-raising is quite intoxicating. However it appears that once
again he is misrepresenting the situation. That said, it _can_ decrypt.
>
> Someone may have totally cracked ssh/ssl, but this does not do that. This is a classic arp poisoning man-in-the-middle
attack but with a very nice UI. This is a weakness in ARP that has long been present and publicised and has always been
a PITA. For this attack to work for encrypted sessions it has to be in place on the first connection when the key
exchange takes place. That is why openssh tells you this:
>
> > The authenticity of host 'foo.com' can't be established.
> > Key fingerprint is 1024 11:d0:2b:44:e2:7e:e5:b6:44:eb:db:76:6c:d5:ea:3e.
> > Are you sure you want to continue connecting (yes/no)?
>
> that key could be a man-in-the-middle key, and if you accept it all subsequent connection can be sniffed.
>
> I don't believe that ssh2 tries to protect against this sort of attack. Tools almost certainly exist to sniff it as
well.
>
> There is plenty of information online about this. I recommend you read up on it.
>
> Disclaimer: I have not studied the source so can not say nothing about it with certainty.
>
> Stu.
>
>
> On Thursday 09-Aug-2001 at 17:39, Curtis Ross <Curtis_Ross@xxxxxx> wrote:
> >
> > > ...and, yes, you read right...this sniffer will decrypt and stream SSL
> > data
> > > from an https:// session full duplex in real time.  Don't let the
> > 'OpenSSL'
> > > requirement lull you into complacency...RSA/etc. commercial
> > implementations
> > > only add a few milliseconds to the stream lag.
> > >
> >
> > I read the sniff part, There's lots of tools for that. I don't see where
> > it says decrypt.
> >
> > Curtis
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>

Follow-Ups:
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Paul Gillingwater

References:
- RE: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Curtis Ross
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Stuart Robinson

Prev by Date: RE: [cobalt-security] No telnet on saturdays??
Next by Date: Re: [cobalt-security] new kernel needed for firewall (?)
Previous by thread: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
Next by thread: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index