Penetration Testing mailing list archives

Re: [PEN-TEST] Breaking SSH Listening Ports

From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Thu, 14 Sep 2000 14:21:46 -0700

MARC A KURTZ wrote:

(I hope this isn't off-topic)

We are looking into way to break a solution we have that uses SSH to forward local ports on a Windows box. It uses 
the option to only bind to 127.0.0.1

My question is, is a hacker able to "break" into the computer and send data to that loopback address and get the 
response? Is the loopback completely non-physical?


I believe that's what the RFCs imply and how it is actually implemented... but
we are talking about M$ so who cares what the RFCs say.

In other words if a hacker injected 127.0.0.1 packets into the ethernet card somehow, would the card ignore them, or 
pass them to the IP stack??


Ethernet cards talk Ethernet (obviously). They don't know about IP addresses.
If your card gets a valid frame with your MAC address on it, the card should
hand it up the stack. The encapsulated IP packet, with whatever address it may
have, is not examined by the card. Any sane IP stack should drop a 127 net
packet coming from a non-loopback interface. Again, with M$...

Will the hacker be able to get the response if it gave one? We are also assuming there is no PcAnywhere or similiar 
software installed to take control of the mouse, keyboard and screen.


It would be a _really_ major hole if you could get packets from the 127 net
to be accepted by the system when they come from any interface but the
loopback (although the attacker must control an interface on the same LAN).
I would think people would have tried this one... I never have actually
tried myself on a WinXX system.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com

Current thread:

[PEN-TEST] Breaking SSH Listening Ports MARC A KURTZ (Sep 14)
- Re: [PEN-TEST] Breaking SSH Listening Ports Jose Nazario (Sep 14)
- Re: [PEN-TEST] Breaking SSH Listening Ports Crist Clark (Sep 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Breaking SSH Listening Ports Dunker, Noah (Sep 14)
- Re: [PEN-TEST] Breaking SSH Listening Ports Dunker, Noah (Sep 14)