Penetration Testing mailing list archives

Re: sniffing X traffic.

From: Anders Thulin <Anders.X.Thulin () telia se>
Date: Mon, 13 Aug 2001 08:00:07 +0200

Power Steve wrote:

Anyone know if you can meaningfully sniff Exceed ( I guess it's the same as
X) traffic?  Im being a bit lame, my personal test lab is down atm, and I
cant find anything on the net re sniffing and interpreting X traffic.


  X sends painting commands from the client to the server (the screen),
and mouse and keyboard events the other way (mainly).

  If you can listen in on a keyboard event stream, you may certainly find
passwords in there.  I've seen at least one intrusion vulnerability
assessment program do just that (but which one was it?)  Indeed,
if you can sniff a full X stream (both ways), I suspect you can come
very close to 'replay' whats going on on the screen (like XWatchWin),
including 'non-echoing' key presses.

  I'm not up-to-date about X protection mechanisms, though: I don't
know if there is such a thing as encrypted X traffic. 

-- 
Anders Thulin     Anders.X.Thulin () telia se     040-661 50 63
Telia ProSoft AB, Carlsgatan 6, SE-201 20 Malmö, Sweden

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

sniffing X traffic. Power Steve (Aug 12)
- Re: sniffing X traffic. Mike Craik (Aug 13)
- Re: sniffing X traffic. Anders Thulin (Aug 13)
- Re: sniffing X traffic. Don Bailey (Aug 15)
- <Possible follow-ups>
- RE: sniffing X traffic. Lodin, Steven {GZ-Q~Mannheim} (Aug 13)
- RE: sniffing X traffic. Joshua Wright (Aug 13)
  - Re: sniffing X traffic. BS (Aug 14)