Re: Some kind of dictionary type attack?

On 07 Jan 2008 10:27:33 +0000 (GMT), Simon Tatham wrote:

> (And I know routers _can_ be subverted; the router next to a machine
> I use was once cracked and had an SSH MITM installed on it. I was
> quite surprised; I had no idea anyone was _actually_ doing MITM
> attacks on SSH. I'd assumed it was just a theoretical threat that
> _would_ have been tried if the designers hadn't built in protection.
> Of course I was immediately clued in by the changed host keys, not
> to mentioned the forcible SSH-2->SSH-1 protocol downgrade and the
> several-second delays on all TCP packets. We think the latter was
> because the router wasn't doing the hard work itself, but was
> forwarding all the network traffic to some other beefier machine for
> rewriting.)

No disagreement with any of the above. Why were you surprised with MITM on
SSH?

Re: Some kind of dictionary type attack?

Ari wrote:
> Why were you surprised with MITM on SSH?

Well, because it seemed like such a silly thing to be trying, given
that SSH specifically includes a defence against it!

With hindsight, yes, of course there's a decent chance that some
people will thoughtlessly answer `yes' to the changed host key
warning and then type their passwords through the resulting
connection. If it were me, though, I don't think that possibility
would justify going to the considerable effort of writing the
implementation.

What I really hadn't anticipated was that someone would write a
prepackaged SSH MITM implementation as proof of concept and without
malicious intent, meaning that suddenly it's actually very _little_
effort for a cracker to install an opportunistic MITM, so they might
as well try it and there's not much lost if it doesn't catch anyone.
(Which appears to be what happened: the MITMed connections in my
case returned a version string saying "SSH-1.51", and as far as I
can tell that's a protocol version number only used by Ettercap.)
--
Simon Tatham "I'm going to pull his head off. Ear by ear."
- a games teacher

Re: Some kind of dictionary type attack?

In article , Simon Tatham writes:
>Ari wrote:
>> Why were you surprised with MITM on SSH?
>
>Well, because it seemed like such a silly thing to be trying, given
>that SSH specifically includes a defence against it!
>
>With hindsight, yes, of course there's a decent chance that some
>people will thoughtlessly answer `yes' to the changed host key
>warning and then type their passwords through the resulting
>connection. If it were me, though, I don't think that possibility
>would justify going to the considerable effort of writing the
>implementation.
>
>What I really hadn't anticipated was that someone would write a
>prepackaged SSH MITM implementation as proof of concept and without
>malicious intent, meaning that suddenly it's actually very _little_
>effort for a cracker to install an opportunistic MITM, so they might
>as well try it and there's not much lost if it doesn't catch anyone.
>(Which appears to be what happened: the MITMed connections in my
>case returned a version string saying "SSH-1.51", and as far as I
>can tell that's a protocol version number only used by Ettercap.)

dsniff has included a tool for MITM SSH attacks since 17th December 2000
see
http://www.oreillynet.com/pub/a/oreilly/networking/news/silv erman_1200.htm

and as mentioned in the article there was quite a lot of somewhat hysterical
publicity when it was released eg

Kurt Seifried's "The End of SSH and SSL ?" article.

David Webb
Security team leader
CCSS
Middlesex University

>--
>Simon Tatham "I'm going to pull his head off. Ear by ear."
> - a games teacher

Re: Some kind of dictionary type attack?

Simon Tatham wrote:

> Ari wrote:
> > Why were you surprised with MITM on SSH?
>
> Well, because it seemed like such a silly thing to be trying, given
> that SSH specifically includes a defence against it!

Another reason I like Linux. Many/most distributions default to
StrictHostKeyChecking so they flatly do not not allow a connection to a
server whose keys have changed unless you manually open up your known
hosts file and delete the key.

>
> With hindsight, yes, of course there's a decent chance that some
> people will thoughtlessly answer `yes' to the changed host key
> warning and then type their passwords through the resulting
> connection. If it were me, though, I don't think that possibility
> would justify going to the considerable effort of writing the
> implementation.

Idiots do it all the time with SSL, what makes you think they're any
smarter because the protocol has changed?

Actually that's probably the case, as anyone with enough IQ points to
be able to use SSH would probably have to be a little more aware of
what's going on around them than the average idiot. PuTTY and it's
relatives tend to make users dumber, but they still require the ability
to read and follow simple instructions.

>
> What I really hadn't anticipated was that someone would write a
> prepackaged SSH MITM implementation as proof of concept and without
> malicious intent, meaning that suddenly it's actually very _little_
> effort for a cracker to install an opportunistic MITM, so they might

You'd be surprised at how many "proof of concept" implementations there
are out there. Not uncommon at all for anal retentive businesses to
have boundrary equipment on their networks which intercept and "MITM
attack" all sorts of encrypted data. SSL is quite common, and SSH isn't
unheard of. Typically they have their keys pre-installed on company
equipment so employees never have the opportunity to verify or reject
them. :(

> as well try it and there's not much lost if it doesn't catch anyone.
> (Which appears to be what happened: the MITMed connections in my
> case returned a version string saying "SSH-1.51", and as far as I
> can tell that's a protocol version number only used by Ettercap.)

Re: Some kind of dictionary type attack?

On 09 Jan 2008 14:32:16 +0000 (GMT), Simon Tatham wrote:

> Ari wrote:
>> Why were you surprised with MITM on SSH?
>
> Well, because it seemed like such a silly thing to be trying, given
> that SSH specifically includes a defence against it!
>
> With hindsight, yes, of course there's a decent chance that some
> people will thoughtlessly answer `yes' to the changed host key
> warning and then type their passwords through the resulting
> connection. If it were me, though, I don't think that possibility
> would justify going to the considerable effort of writing the
> implementation.
>
> What I really hadn't anticipated was that someone would write a
> prepackaged SSH MITM implementation as proof of concept and without
> malicious intent, meaning that suddenly it's actually very _little_
> effort for a cracker to install an opportunistic MITM, so they might
> as well try it and there's not much lost if it doesn't catch anyone.
> (Which appears to be what happened: the MITMed connections in my
> case returned a version string saying "SSH-1.51", and as far as I
> can tell that's a protocol version number only used by Ettercap.)

Thanks, I sorta misread your surprise as meaning that you were unsuspecting
of acts on inevitable failure. lol