On Wed, Sep 26, 2001 at 12:41:52AM +0800, Federico Sevilla III wrote:
> Would anyone know of any major issues with SSH protocol 1?
>
Cousin, there are many major issues with SSHv1. The protocol is
broken as designed. The dsniff set of tools is able to implement MITM
attacks against SSHv1: http://www.monkey.org/~dugsong/dsniff/. Don't
support v1 unless you really, really need to (e.g. if the operating
system you're working on doesn't have v2 clients):
3.4. How do I sniff / hijack HTTPS / SSH connections?
Although HTTPS and SSH are encrypted, they both rely on weakly bound
public key certificates to identify servers and to establish security
contexts for symmetric encryption. As the vast majority of users fail
to comprehend the obtuse digital trust management PKI presents (e.g.
is an X.509v3 DN really meaningful to you?), a simple
monkey-in-the-middle attack works quite well in practice.
Client traffic to a target server may be intercepted using dnsspoof
and relayed to its intended destination using the sshmitm and webmitm
proxies (which also happen to grep passwords in transit). For example,
to sniff Hotmail webmail passwords, create a dnsspoof hosts file such
as:
1.2.3.4 *.passport.com
1.2.3.4 *.hotmail.com
where 1.2.3.4 is the IP address of your attacking machine. Local
clients attempting to connect to Hotmail will be sent to your machine
instead, where webmitm will present them with a self-signed
certificate (with the appropriate X.509v3 distinguished name), and
relay their sniffed traffic to the real Hotmail site.
sshmitm is perhaps most effective at conference terminal rooms or
webcafes as most travelling SSH users don't carry their server's key
fingerprint around with them (only presented by the OpenSSH client,
anyhow). Even sophisticated SSH users who insist on one-time passwords
(e.g. S/Key), RSA authentication, etc. are still at risk, as sshmitm
supports monitoring and hijacking of interactive sessions with its -I
flag.
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63(2) 8177746 ext. 8311
Programmer, InterdotNet Philippines +63(917) 4458925
http://dido.engr.internet.org.ph/ OpenPGP Key ID: 0x5CDA17D8
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
