Bugtraq mailing list archives
Re: sshmitm, webmitm
From: Samuele Giovanni Tonon <tonon () STUDENTS CS UNIBO IT>
Date: Wed, 20 Dec 2000 17:55:02 +0100
On Mon, Dec 18, 2000 at 10:18:02AM -0500, Dug Song wrote:
sshmitm and webmitm have been released as part of the new dsniff-2.3 package, available at: http://www.monkey.org/~dugsong/dsniff/ these tools perform simple active monkey-in-the-middle attacks against SSH and HTTPS, exploiting weak bindings in ad-hoc PKI.
i've used it (sshmitm) last night and it seems it works only under certain condition: - you connect to a machine querying a DNS instead of putting the ip in /etc/hosts - you have no ~/.ssh/known_host or you haven't the public key of the host you want to connect and you have StrictHostKeyChecking set to no (default) . - the forger must know you'll connect to it and must be on the path between you and the machine . without one of these condition it doesn't work, so problem can be easily avoided with some precaucions until a good public-key exchanging system is used Samuele -- Samuele Tonon <tonon () students cs unibo it> Undergraduate Student of Computer Science at University of Bologna, Italy Linux System administrator at Computer Science Research Labs of University of Bologna, Italy Founder & Member of A.A.H.T.
Current thread:
- sshmitm, webmitm Dug Song (Dec 18)
- Re: sshmitm, webmitm Samuele Giovanni Tonon (Dec 20)
- Re: sshmitm, webmitm Boris Lorenz (Dec 21)
- "The End of SSL and SSH?" Perry E. Metzger (Dec 20)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 19)
- Re: "The End of SSL and SSH?" Stefan Monnier (Dec 20)
- Re: "The End of SSL and SSH?" Brett Glass (Dec 20)
- Re: "The End of SSL and SSH?" Crispin Cowan (Dec 20)
- Re: "The End of SSL and SSH?" Ajax (Dec 20)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Damien Miller (Dec 21)
- Re: sshmitm, webmitm Samuele Giovanni Tonon (Dec 20)