OT: Security....
Scot L. Harris
webid at cfl.rr.com
Thu Nov 4 18:06:28 UTC 2004
On Thu, 2004-11-04 at 12:14, HaJo Schatz wrote:
> On Thu, 2004-11-04 at 23:49, Scot L. Harris wrote:
>
> > At what point does the system log the ssh attempt? If it is after the
> > initial 3 way handshake then I think an ssh attempt could be spoofed
> > without having to receive packets back from the target system. From
> > what I can tell it appears that when you initiate an ssh attempt the
> > standard 3 way handshake is started. You send a SYN packet, the target
> > sends a SYN ACK packet. Normally since you would not get the SYN ACK
> > packet the connection would not be completed. However if you
> > manufacture a ACK packet and send that a few seconds after you send the
> > SYN packet I think you would have a good chance of completing the
> > handshake. If that gets logged as an SSH attempt then the active
> > response system in place may block the spoofed sender IP address.
>
> I have tried that. You have to have your login and password transmitted
> before the log entry appears through syslog (which makes sense, as the
> credentials appear in the log as well). I believe it's pretty hard to
> "pre-guess" (what a word) the authentication/encryption handshake to
> spoof an IP ;-)
That makes sense. Will have to find some time to look at this a little
more. :)
--
Scot L. Harris
webid at cfl.rr.com
Yield to Temptation ... it may not pass your way again.
-- Lazarus Long, "Time Enough for Love"
More information about the users
mailing list