Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Solution for sniffing

From: David <dcorking () yahoo fr>
Date: Fri, 20 Dec 2002 20:14:23 -0500

On Fri, 20 Dec 2002, Janssen, Steph wrote:


I'm afraid it only brings a small amount of safety. Also the Promiscous part
is getting a bit different.

Nowadays most people who sniff, sniff using tools that poison your
arp-cache, in your switches. http://ettercap.sourceforge.net/ is a good




This makes the machine sniffing you the machine in the middle, and would it
detect an ssh-connection, it wil "put you through" like a receptionist, that
way maintaining two sessions. One with you, and one with the server you


Quote from above web page :-

 SSH1 support : you can sniff User and Pass, and even the data of an
 SSH1 connection. ettercap is the first software capable to sniff an
 SSH connection in FULL-DUPLEX

According to mailing lists that specilize in ssh, this was due to a
bug in SSH protocol v 1, that is not present in SSH protocol v 2

ettercap does not claim to sniff ssh v 2.

So until a bug is found in protocol v 2, you need to

* acquire an ssh tool that supports it (recent versions of sssh,
  OpenSSH and puTTy support it)

* disable protocol v 1 in this tool (preferably in client and server.)

* if your tool warns you about an unknown host key, take it
  seriously.  Transmit and install trusted host keys by a seure
  channel, as the unknown host key may belong to the 'man in the
  middle' sniffer.

Although I use protocol v 2 for this reason, I am not a penetration
tester so have not proven its effectiveness myself.

I think that right now I am safe from ettercap kids any way.

David.
Previous By Date Next
Previous By Thread Next

Current thread: