Re: hijacked SSH sessions

[Taka Khumbartha]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike Perry @ 2006/10/16 13:25:
 Thus spake Taka Khumbartha ([EMAIL PROTECTED]):
 
 today i have had several attempted man in the middle attacks on my
 SSH sessions.  i am not sure which exit node(s) i was using, but the
 MD5 hash of the fingerprint of the spoofed host key is:

 4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57

 and it does not matter which host i connect to, the MD5 hash
 presented it always the same.
 
 Interesting. Could be another upstream chinese ISP, or DNS poisoning
 again. Were you using SOCKS4A/SOCKS5 or did you connect direct to an
 IP?
 

i was using socks4 protocol within my ssh application, but directly passed an 
IP address to Tor.


-BEGIN PGP SIGNATURE-

iQA/AwUBRTRyvV4XwiTbvfKgEQLO1QCgmjBBNebKhMe96kDj/BaBNtfOl1AAmwVk
krvrq8+CqIiQ7xW2n+snGjIL
=0YVv
-END PGP SIGNATURE-

strictentrynodes

[Marcel]

Hi

I've installed the new vidalia 0.8 and i've noticed that tor for windows
versions 1.1.23, 1.1.24, 1.2.2a is competely ignoring my nodes directives.

To reproduce:

Load tor with my config.
Load vidalia.
Entrynodes and Exitnodes not working.

My config:

ClientOnly 1
ControlPort 9051
Log notice stdout
LongLivedPorts 21,22,706,1863,5050,5100,5190,5222,5223,6667,6668,6669,8300,
MaxCircuitDirtiness 300
SocksListenAddress 127.0.0.1
StrictEntryNodes 1
StrictExitNodes 1
UseEntryGuards 0
ExcludeNodes 1, backspace, inap1, minastorgul, minidragon, torxunixguxru, 
DesktopLinux, freedomfromtyranny, n37gu3r1lla, OverTheEdge, yargh
EntryNodes 16yhkp3lp2xp2fn, 80l, 906ac30360758, agator, ak, anonymous, 
anonymrus, apiratelife4you, arkady, baabeli, banana, beabearbeagrizzly, 
bismark, blackbeard, blindonion, bluemana, borism, bors, botswananpula, bruce, 
bsmntbombdood, bsstor, bubereldotorg, burken332tfijr, caethaver2, capacitor, 
carini, carlz, casa, casablanicinferno, castellan, chaos1, cipheralgo, 
clanspum, clarity, croeso, cuckoo, dao, darthik, dcoaksfb, dirichletcaltech, 
div, dtorserver, earfeast, earthbound, ericspeaks, erkdogstrongbad, err, 
eunoia, evow4000, ewa, experience, familyxc9sh3wo, fartknocker, fenrir, foo, 
frangossauro, freetux4ever, fusarium, fussypaulie, galtscat, gcq69rtorx1, 
gnunet, godzilla, gtisc, gusgate, hackshaven, havarti, hostgods, httpdnet, 
hztorrrid2, icantthink2002, ice, illithid2, imhotep, infogtor, 
ithinkthisisunique, jeps, jerry23ab0e82e, jesusnet, jgaator, jizbomb, jpunix, 
katnap, kkekk, kondratiev, kumbaya, lab, lincolnone, linuxonthebrain, 
lionstooth, livingcorpse, lollerskates, longgonesbox, lox, lumpia, maewdsa, 
masharabinovich, mbop2, megamike2003, mrrelo, mtech, mtrojnar, multicstor, 
nachocheese, nadia, nano, nao, ncdutorone, nemeinfigw, nerv, nicodemus, 
noguidotnet, nonickneeded, nowhereman, nsa, nucpc137, obsidianshutnet, 
oehahwohme, olram23, oululife, pacobell, peach1, penpen,  phobos, pizon, pmw, 
pup, qnix, qwe, reagan, redemptor, reinghar, ribald, rm191403591f74, rodos, 
roflcopter, rumsfaild, sacredkowz, sakurai, salottisipuli, samquirk, samsatori, 
sarang2099381e, scorpion, selfevident, serenity, serifos, shalmirane, shammnet, 
shebitch, sillyrabbit, sipbtor, slancaster, slkfwen234kl, snakeoilanonymity, 
sokarpersious, sonylapguy, soundstone, soylentgreen, stbmac, sunrock, 
tanguymacbooklocal, tarkan, tedmarlon, thing, tinybox, tomodachi, 
torexperiment, tormaster, torxmission, treeltor, trogdorxx, ulanbator3, vader, 
vapaus2007, vvl0wqxk2g5, wanged, wert, whistlersmother, whoknowspenn, 
whowantstoknow, xps, yang24a11658b4, ytquacker, zavierassistant, zog
ExitNodes 16yhkp3lp2xp2fn, 80l, 906ac30360758, agator, ak, anonymous, 
anonymrus, apiratelife4you, arkady, baabeli, banana, beabearbeagrizzly, 
bismark, blackbeard, blindonion, bluemana, borism, bors, botswananpula, bruce, 
bsmntbombdood, bsstor, bubereldotorg, burken332tfijr, caethaver2, capacitor, 
carini, carlz, casa, casablanicinferno, castellan, chaos1, cipheralgo, 
clanspum, clarity, croeso, cuckoo, dao, darthik, dcoaksfb, dirichletcaltech, 
div, dtorserver, earfeast, earthbound, ericspeaks, erkdogstrongbad, err, 
eunoia, evow4000, ewa, experience, familyxc9sh3wo, fartknocker, fenrir, foo, 
frangossauro, freetux4ever, fusarium, fussypaulie, galtscat, gcq69rtorx1, 
gnunet, godzilla, gtisc, gusgate, hackshaven, havarti, hostgods, httpdnet, 
hztorrrid2, icantthink2002, ice, illithid2, imhotep, infogtor, 
ithinkthisisunique, jeps, jerry23ab0e82e, jesusnet, jgaator, jizbomb, jpunix, 
katnap, kkekk, kondratiev, kumbaya, lab, lincolnone, linuxonthebrain, 
lionstooth, livingcorpse, lollerskates, longgonesbox, lox, lumpia, maewdsa, 
masharabinovich, mbop2, megamike2003, mrrelo, mtech, mtrojnar, multicstor, 
nachocheese, nadia, nano, nao, ncdutorone, nemeinfigw, nerv, nicodemus, 
noguidotnet, nonickneeded, nowhereman, nsa, nucpc137, obsidianshutnet, 
oehahwohme, olram23, oululife, pacobell, peach1, penpen,  phobos, pizon, pmw, 
pup, qnix, qwe, reagan, redemptor, reinghar, ribald, rm191403591f74, rodos, 
roflcopter, rumsfaild, sacredkowz, sakurai, salottisipuli, samquirk, samsatori, 
sarang2099381e, scorpion, selfevident, serenity, serifos, shalmirane, shammnet, 
shebitch, sillyrabbit, sipbtor, slancaster, slkfwen234kl, snakeoilanonymity, 
sokarpersious, sonylapguy, soundstone, soylentgreen, stbmac, sunrock, 
tanguymacbooklocal, tarkan, tedmarlon, thing, tinybox, tomodachi, 
torexperiment, tormaster, torxmission, treeltor, trogdorxx, ulanbator3, vader, 
vapaus2007, vvl0wqxk2g5, wanged, wert, whistlersmother, whoknowspenn, 
whowantstoknow, xps, yang24a11658b4, ytquacker, zavierassistant, zog

Re: hijacked SSH sessions

[Mike Perry]

Thus spake Taka Khumbartha ([EMAIL PROTECTED]):

 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 Mike Perry @ 2006/10/16 13:25:
  Thus spake Taka Khumbartha ([EMAIL PROTECTED]):
  
  today i have had several attempted man in the middle attacks on
  my SSH sessions.  i am not sure which exit node(s) i was using,
  but the MD5 hash of the fingerprint of the spoofed host key is:
 
  4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57
 
  and it does not matter which host i connect to, the MD5 hash
  presented it always the same.
  
  Interesting. Could be another upstream chinese ISP, or DNS
  poisoning again. Were you using SOCKS4A/SOCKS5 or did you connect
  direct to an IP?
  
 
 i was using socks4 protocol within my ssh application, but directly
 passed an IP address to Tor.

Hrm. Guess it wasn't random DNS redirect then.

Well either they must have been scared off, or I'm blind. Cause
I'm not seeing this now. Been through almost every exit node in the
directory a few times now..

Probably actually malicious though, since I don't think China would be
intimidated by some posts on the Tor list ;)

Please post if you notice it again.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Re: hijacked SSH sessions

[Michael Holstein]

There have been various TOR exit nodes that have been behaving badly 
lately (check the tor-talk list) .. some are doing frames, popups, etc 
.. there is a list of bad nodenames somewhere on that list (can't find 
it at hand..)


Personally, I wouldn't use any exit node in China .. use the 
ExcludeNodes part of your torrc.


~Mike.

Taka Khumbartha wrote:

today i have had several attempted man in the middle attacks on my SSH 
sessions.  i am not sure which exit node(s) i was using, but the MD5 hash of the 
fingerprint of the spoofed host key is:

4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57

and it does not matter which host i connect to, the MD5 hash presented it 
always the same.

just a heads up

Practical onion hacking: finding the real address of Tor clients

[Jacob Appelbaum]

Hi *,

Fortconsult wrote this and it may be of some interest to people on this
list:
http://www.packetstormsecurity.org/0610-advisories/Practical_Onion_Hacking.pdf

And then of course there is this:
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#TotallyAnonymous

Regards,
Jacob