Bugtraq mailing list archives

Re: sshmitm, webmitm

From: Samuele Giovanni Tonon <tonon () STUDENTS CS UNIBO IT>
Date: Wed, 20 Dec 2000 17:55:02 +0100

On Mon, Dec 18, 2000 at 10:18:02AM -0500, Dug Song wrote:

sshmitm and webmitm have been released as part of the new dsniff-2.3
package, available at:

      http://www.monkey.org/~dugsong/dsniff/

these tools perform simple active monkey-in-the-middle attacks against
SSH and HTTPS, exploiting weak bindings in ad-hoc PKI.



i've used it (sshmitm)  last night and it seems it works only under certain
condition:
- you connect to a machine querying a DNS instead of putting the ip in
  /etc/hosts
- you have no ~/.ssh/known_host or you haven't the public key of the host you
  want to connect and you have StrictHostKeyChecking set to no (default) .
- the forger must know you'll connect to it and must be on the path between you
and the machine .

without one of these condition it doesn't work, so problem can be easily
avoided with some precaucions until a good public-key exchanging system is used

Samuele

--

Samuele Tonon <tonon () students cs unibo it>
Undergraduate Student  of  Computer Science at  University of Bologna, Italy
Linux System administrator at  Computer Science Research Labs of University
of Bologna, Italy

Founder & Member of A.A.H.T.

Current thread:

sshmitm, webmitm Dug Song (Dec 18)
- Re: sshmitm, webmitm Samuele Giovanni Tonon (Dec 20)
  - Re: sshmitm, webmitm Boris Lorenz (Dec 21)
- "The End of SSL and SSH?" Perry E. Metzger (Dec 20)
  - Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
    - Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 19)
    - Re: "The End of SSL and SSH?" Stefan Monnier (Dec 20)
    - Re: "The End of SSL and SSH?" Brett Glass (Dec 20)
    - Re: "The End of SSL and SSH?" Crispin Cowan (Dec 20)
    - Re: "The End of SSL and SSH?" Ajax (Dec 20)
    - Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
    - Re: "The End of SSL and SSH?" Damien Miller (Dec 21)

(Thread continues...)