Re: ssh mitm at the router

From: Terry Vernon (tvernon24@comcast.net)
Date: Fri Jul 29 2005 - 10:43:07 EDT


Quoted from my own lips:

gre_relay runs only in offensive mode which disables kernel routing
which breaks the router.

Problem not solved.

Terry Vernon
CTO
Sprite Technologies

Andres Riancho wrote:

>
> Quoted from ettercap documentation:
>
> gre_relay
> This plugin can be used to sniff GRE-redirected remote traffic. The
> basic idea is to create a GRE tunnel that sends all the traffic on a
> router interface to the ettercap machine. The plugin will send back
> the GRE packets to the router, after ettercap "manipulation" (you
> can use "active" plugins such as smb_down, ssh decryption, filters,
> etc... on redirected traffic) It needs a "fake" host where the
> traffic has to be redirected to (to avoid kernel's responses). The
> "fake" IP will be the tunnel endpoint. Gre_relay plugin will
> impersonate the "fake" host. To find an unused IP address for the
> "fake" host you can use find_ip plugin. Based on the original
> Tunnelx technique by Anthony C. Zboralski published in
> http://www.phrack.org/show.php?p=56&a=10 by HERT.
>
> When you create a GRE tunnel , you can redirect specific traffic. So,
> your problem is solved.
>
> Terry Vernon wrote:
>
>> We have a client who wants to intercept ssh and ssl transmissions and
>> sniff them going across their routers on their WAN. I've looked at
>> ettercap, sshmitm, and ssharp and neither are suitable for this job.
>> Is there anything out there that proxies these encrypted protocols
>> and does a mitm without arp poisoning?
>>
>> Terry Vernon
>> CTO
>> Sprite Technologies
>
>
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:40 EDT