Does anyone know of any ssh session sniping software
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Does anyone know of any ssh session sniping software
I want to use it on my own machine to test snort and other IDS's to see how/if they work. I'm doing in conjunction with another person and we were gonna put our findings in a report.
The server is Debian squeeze running on PowerPC. If no such software exists I would appreciate any advice on how I should approach this.
I'm willing to use/install older, vulnerable software to achieve this. It doesn't necessarily have to be SSH, its just the first thing that comes to mind because it seems to be the most widely used network utility.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I'm not sure whether it's you or me who's not understanding here.
As I understand it if you did manage to "listen in" on an SSH session then you would be using a man-in-the-middle attack so any data seen by Snort would be indistinguishable from a legitimate SSH session -- otherwise SSH itself would either not work or alert you to the problem itself.
Have you played with SSH and seen what happens when you replace onw host with another on the same IP then try to SSH into the new host, for example?
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I thought to break into an SSH session you needed to either:
Have a machine able to capture the packets and the ability to break the encryption.
Or
Perform a main-in-the-middle attack (relying upon the user not noticing a warning or on some vulnerability).
Both of which ought to be transparent to an IDS as the first does nothing to the data stream and the second looks like legitimate SSH traffic since it is, to all intents and purposes, legitimate SSH traffic or it wouldn't work?
Both of which ought to be transparent to an IDS as the first does nothing to the data stream and the second looks like legitimate SSH traffic since it is, to all intents and purposes, legitimate SSH traffic or it wouldn't work?
Either method can capture the data stream which would look like garbage. Once the NIC is placed in promiscuous mode, it will capture all of the traffic on the wire and this can be saved and analyzed. The data gets decrypted at the application level and the network sniffer operates below that, so unless your acting like the MITM and capturing the decrypted traffic, all you will see besides the session handshaking is the garbage.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by Noway2
Either method can capture the data stream which would look like garbage. Once the NIC is placed in promiscuous mode, it will capture all of the traffic on the wire and this can be saved and analyzed. The data gets decrypted at the application level and the network sniffer operates below that, so unless your acting like the MITM and capturing the decrypted traffic, all you will see besides the session handshaking is the garbage.
I think we're typing at cross-purposes.
My point was that if you can tap into an SSH session then no IDS will see that -- so it is not something you can use to "try out" Snort.
My point was that if you can tap into an SSH session then no IDS will see that -- so it is not something you can use to "try out" Snort.
Ah, I see what you're saying. Good point, no an IDS wouldn't help here. At best an network IDS would detect "bad" connection attempts via the packets, but those would probably be mostly benign anyway. A host IDS (not Snort) that looks at the log files and takes evasive action, such as a firewall block, would be much more beneficial.
Let's also be clear about the purpose of this thread: if it's about disrupting sessions by injecting packets at the transport layer that's fine but performing any MitM clearly isn't under the LQ Rules.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.