Re: ssh mitm at the router

[Terry Vernon <tvernon24 () comcast net>]

Quoted from my own lips:

gre_relay runs only in offensive mode which disables kernel routing 
which breaks the router.

Problem not solved.

Terry Vernon
CTO
Sprite Technologies

Andres Riancho wrote:

> Quoted from ettercap documentation:
>
> gre_relay
>    This plugin can be used to sniff GRE-redirected remote traffic. The
>    basic idea is to create a GRE tunnel that sends all the traffic on a
>    router interface to the ettercap machine. The plugin will send back
>    the GRE packets to the router, after ettercap "manipulation" (you
>    can use "active" plugins such as smb_down, ssh decryption, filters,
>    etc... on redirected traffic) It needs a "fake" host where the
>    traffic has to be redirected to (to avoid kernel's responses). The
>    "fake" IP will be the tunnel endpoint. Gre_relay plugin will
>    impersonate the "fake" host. To find an unused IP address for the
>    "fake" host you can use find_ip plugin.   Based on the original
>    Tunnelx technique by Anthony C. Zboralski published in
>    http://www.phrack.org/show.php?p=56&a=10 by HERT.
>
> When you create a GRE tunnel , you can redirect specific traffic. So, 
> your problem is solved.
>
> Terry Vernon wrote:
>
> > We have a client who wants to intercept ssh and ssl transmissions and 
> > sniff them going across their routers on their WAN. I've looked at 
> > ettercap, sshmitm, and ssharp and neither are suitable for this job. 
> > Is there anything out there that proxies these encrypted protocols 
> > and does a mitm without arp poisoning?
> >
> > Terry Vernon
> > CTO
> > Sprite Technologies