LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-13-2013, 06:50 PM   #1
jddancks
LQ Newbie
 
Registered: Jan 2013
Location: Central NY
Distribution: Mac, debian
Posts: 29

Rep: Reputation: Disabled
Does anyone know of any ssh session sniping software


I want to use it on my own machine to test snort and other IDS's to see how/if they work. I'm doing in conjunction with another person and we were gonna put our findings in a report.

The server is Debian squeeze running on PowerPC. If no such software exists I would appreciate any advice on how I should approach this.

I'm willing to use/install older, vulnerable software to achieve this. It doesn't necessarily have to be SSH, its just the first thing that comes to mind because it seems to be the most widely used network utility.

Any ideas?
 
Old 11-14-2013, 02:21 AM   #2
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,055

Rep: Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078
I'm not sure whether it's you or me who's not understanding here.
As I understand it if you did manage to "listen in" on an SSH session then you would be using a man-in-the-middle attack so any data seen by Snort would be indistinguishable from a legitimate SSH session -- otherwise SSH itself would either not work or alert you to the problem itself.
Have you played with SSH and seen what happens when you replace onw host with another on the same IP then try to SSH into the new host, for example?
 
Old 11-14-2013, 02:38 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
tcpdump for learning src, dst, ports, sequence no, etc. and Scapy for sending the RST?
 
Old 11-14-2013, 02:52 AM   #4
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,055

Rep: Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078
I thought to break into an SSH session you needed to either:
Have a machine able to capture the packets and the ability to break the encryption.
Or
Perform a main-in-the-middle attack (relying upon the user not noticing a warning or on some vulnerability).
Both of which ought to be transparent to an IDS as the first does nothing to the data stream and the second looks like legitimate SSH traffic since it is, to all intents and purposes, legitimate SSH traffic or it wouldn't work?
 
Old 11-14-2013, 02:47 PM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Quote:
Originally Posted by 273 View Post
Both of which ought to be transparent to an IDS as the first does nothing to the data stream and the second looks like legitimate SSH traffic since it is, to all intents and purposes, legitimate SSH traffic or it wouldn't work?
Either method can capture the data stream which would look like garbage. Once the NIC is placed in promiscuous mode, it will capture all of the traffic on the wire and this can be saved and analyzed. The data gets decrypted at the application level and the network sniffer operates below that, so unless your acting like the MITM and capturing the decrypted traffic, all you will see besides the session handshaking is the garbage.
 
Old 11-14-2013, 03:11 PM   #6
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,055

Rep: Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078
Quote:
Originally Posted by Noway2 View Post
Either method can capture the data stream which would look like garbage. Once the NIC is placed in promiscuous mode, it will capture all of the traffic on the wire and this can be saved and analyzed. The data gets decrypted at the application level and the network sniffer operates below that, so unless your acting like the MITM and capturing the decrypted traffic, all you will see besides the session handshaking is the garbage.
I think we're typing at cross-purposes.
My point was that if you can tap into an SSH session then no IDS will see that -- so it is not something you can use to "try out" Snort.
 
Old 11-14-2013, 03:29 PM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Quote:
Originally Posted by 273 View Post
My point was that if you can tap into an SSH session then no IDS will see that -- so it is not something you can use to "try out" Snort.
Ah, I see what you're saying. Good point, no an IDS wouldn't help here. At best an network IDS would detect "bad" connection attempts via the packets, but those would probably be mostly benign anyway. A host IDS (not Snort) that looks at the log files and takes evasive action, such as a firewall block, would be much more beneficial.
 
Old 11-15-2013, 02:52 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Let's also be clear about the purpose of this thread: if it's about disrupting sessions by injecting packets at the transport layer that's fine but performing any MitM clearly isn't under the LQ Rules.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH concurrent session limit and idle session time out lasygsd Linux - Newbie 3 10-30-2014 08:56 AM
make commands keep running after leaving a terminal session or ssh session Danny3031 Programming 18 01-30-2012 12:29 PM
Bid Sniping Software Jim Isbell Linux - Software 8 01-13-2008 10:12 AM
ssh -> perl -> spawn background proces hangs ssh session rhoekstra Programming 2 04-25-2006 02:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration