Re: two questions about ssh tunneling
On Fri, 4 Dec 2009 14:13:11 -0800 Tyler MacDonald ty...@macdonald.name wrote: ... I believe when you use SOCKS, your browser stops doing DNS resolution and just hands the hostnames directly to the SOCKS server. So all they would be able to sniff is your encrypted SSH session, which they (hopefully) can't decrypt. Are you sure that applications using SOCKS aren't doing their own DNS resolution? The Tor FAQ suggests that they often do: Where SOCKS comes in. Your application uses the SOCKS protocol to connect to your local Tor client. There are 3 versions of SOCKS you are likely to run into: SOCKS 4 (which only uses IP addresses), SOCKS 5 (which usually uses IP addresses in practice), and SOCKS 4a (which uses hostnames). When your application uses SOCKS 4 or SOCKS 5 to give Tor an IP address, Tor guesses that it 'probably' got the IP address non-anonymously from a DNS server. That's why it gives you a warning message: you probably aren't as anonymous as you think. https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#SOCKSAndDNS Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: two questions about ssh tunneling
On Fri, 4 Dec 2009 14:13:11 -0800 Tyler MacDonald ty...@macdonald.name wrote: Tudod Ki tudodk...@yahoo.com wrote: ... - Can anyone sniff the traffic of computer B? e.g.: B computer is at a - server farm [others in the farm can see the traffic?] - I think yes, but - I'm not sure :O Yes, that's possible. However, in most colocated environments, you are on a switch, not a hub -- so in that case, the attacker would have to be sniffing directly from a router to see your traffic. If you want to know for sure, ask your ISP. But IIUC, even where switches are used, MITM attacks to sniff traffic are still possible for other hosts on the LAN, either through ARP poisoning, or through port stealing if the switch isn't implementing port security: http://ettercap.sourceforge.net/forum/viewtopic.php?t=2392 http://ettercap.sourceforge.net/forum/viewtopic.php?t=2329 Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: two questions about ssh tunneling
Tudod Ki tudodk...@yahoo.com wrote: if I: ssh -fND localhost:6000 someb...@192.168.56.5 -p PORTNUMBER from computer A to computer B [B = 192.168.56.5] then I can set the SOCKS proxy for e.g.: Firefox to use localhost:6000 on computer A. Ok. I can surf the web through B. But: - Can anyone sniff the traffic of A? [e.g.: computers on same subnet as - A] Like DNS requests? - I think no, but I'm not sure :O I believe when you use SOCKS, your browser stops doing DNS resolution and just hands the hostnames directly to the SOCKS server. So all they would be able to sniff is your encrypted SSH session, which they (hopefully) can't decrypt. - Can anyone sniff the traffic of computer B? e.g.: B computer is at a - server farm [others in the farm can see the traffic?] - I think yes, but - I'm not sure :O Yes, that's possible. However, in most colocated environments, you are on a switch, not a hub -- so in that case, the attacker would have to be sniffing directly from a router to see your traffic. If you want to know for sure, ask your ISP. - Tyler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: two questions about ssh tunneling
but what's with cam attack? http://en.wikipedia.org/wiki/CAM_Table#Attacks they could attack a switch, and it will act as a hub? and then they can set promiscuous mode on their cards and sniff --- On Fri, 12/4/09, Tyler MacDonald ty...@macdonald.name wrote: From: Tyler MacDonald ty...@macdonald.name Subject: Re: two questions about ssh tunneling To: Tudod Ki tudodk...@yahoo.com Cc: Debian User debian-user@lists.debian.org Date: Friday, December 4, 2009, 10:13 PM Tudod Ki tudodk...@yahoo.com wrote: if I: ssh -fND localhost:6000 someb...@192.168.56.5 -p PORTNUMBER from computer A to computer B [B = 192.168.56.5] then I can set the SOCKS proxy for e.g.: Firefox to use localhost:6000 on computer A. Ok. I can surf the web through B. But: - Can anyone sniff the traffic of A? [e.g.: computers on same subnet as - A] Like DNS requests? - I think no, but I'm not sure :O I believe when you use SOCKS, your browser stops doing DNS resolution and just hands the hostnames directly to the SOCKS server. So all they would be able to sniff is your encrypted SSH session, which they (hopefully) can't decrypt. - Can anyone sniff the traffic of computer B? e.g.: B computer is at a - server farm [others in the farm can see the traffic?] - I think yes, but - I'm not sure :O Yes, that's possible. However, in most colocated environments, you are on a switch, not a hub -- so in that case, the attacker would have to be sniffing directly from a router to see your traffic. If you want to know for sure, ask your ISP. - Tyler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: two questions about ssh tunneling
Tudod Ki tudodk...@yahoo.com wrote: but what's with cam attack? http://en.wikipedia.org/wiki/CAM_Table#Attacks they could attack a switch, and it will act as a hub? and then they can set promiscuous mode on their cards and sniff Hmm. I didn't know about that one! I suppose it's possible. Of course, if you were in promiscous mode as well, you'd probably start getting other systems' packets and would immediately know that an attack was underway. Unless the attack was on a router a few hops upstream from you. I guess the only way to know for sure is to know your ISP's network topology... - Tyler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org