At 11:03 15/08/00 +0200, Johnston, Mark wrote:
>I would like to prove to someone that telnet is way bad, in comparison to
>ssh when it comes to security.
well, you won't be able to prove that telnet is bad!
I assume youare talking aout the telnet protocol (not the telnet client).
The advantage of ssh is that the comunication is encrypted, so ssh is better
if the following conditions are fulfilled:
- there is a need for encryption (remember: encryption comes at a price, so
when it is not necessary, it is bad!)
- the programs used are safe (so a buggy ssh client/server is a problem,
not a solution).
If the problem is about passwords being sniffed, then there are
authentication protocols
that protect more or less against password sniffing.
That said, if you are in an environment that is not fully trustable, then
you'd better user
ssh instead of telnet (the protocol, I mean).
>So what would I need to do to check for telnet/ftp passwords on an internal
>server ?
tcpdump -s1500 -lenx host remotehost | tcpshow -coooked -data
while conecting to remotehost. you'll see the passwords flying...
Disclaimer: if this information causes any damages, then the damage is
caused by the
ignorance of the site security officers, not by the knowledge of any
malicious user.
>NB : I have root access to the box I'm going to try this on, so NO I'm not
>trying to hack someone else's PC.
Can you give a certificate that proves this!
For example, configuer the box so that I can connect to
and become root on. just kidding...
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
