Projects / Ettercap / Comments

Comments for Ettercap

19 Apr 2002 09:10 WildThing

Re: MIM not possible against secure (ie most) SSL
Try to use ettercap with etter.filter.ssh filter.
It tries to convince the client that the server only support ssh v1 (if it supports both). So if you run simply ssh it will look up on known_hosts keys (not known_hosts2). If you always use ssh with v2 by default you don't have the right key in known_hosts so no warning pop-up but a simple "do you want to add..."

07 Apr 2002 04:52 alor

Re: MIM not possible against secure (ie most) SSL

> And I was wondering, will ssh sniffing
> work at all against public key
> authentication?


During public key auth (like in SSH2) the keys are not exchanged on the wire... so you cannot do a m-i-t-m attach against it. The server already has your REAL public key and will not start the session if it doesn't match.

06 Apr 2002 18:42 rcastell

Re: MIM not possible against secure (ie most) SSL
If you set up ssh right, it gives you a loud warning about man-in-the-middle attacks if the
host's key fingerprint changes. If the user accepts anyway, the connection can be sniffed.
And I was wondering, will ssh sniffing work at all against public key authentication?

15 Dec 2001 08:41 alor

Re: MIM not possible against secure (ie most) SSL

> It will not work for
> browser connections because the browser
> itself checks the certificate for the
> site name (and to fool that you have to
> persuade Verisign or similar to sign a
> certificate that says, for example, that
> you are amazon.com - not likely).


or to persuade the user to accept the false certificate... here the social engineering is crucial, if the user is prompted with a false certificate that is *very* similar to its favourite CA, he will accept it... obviously the weakest link of the chain is always the user as in SSH man-in-the-middle.

bye

15 Dec 2001 06:30 BelindaWoods

MIM not possible against secure (ie most) SSL
Even with SSL support in the code, it is not possible to crack SSL encrypted links. To complete an SSL
handshake you must know the secret key for the certificate that you supply. If Ettercap supplies the server's
certificate to the client, it will not be able to complete the handshake. If it supplies its own certificate,
the client will see that the certificate is not the one expected.

So the only hope this has of working is if certificates are not checked, which is only likely if people use ssh
insecurely. It will not work for browser connections because the browser itself checks the certificate for the site
name (and to fool that you have to persuade Verisign or similar to sign a certificate that says, for example, that
you are amazon.com - not likely).

Given all that, aren't you misprepesenting the abilities of this tool?

[Apologies, I'm using an anon acct for obvious reasons]

18 Sep 2001 08:07 WildThing

Good Work Guys!
Yeah!

Screenshot

Project Spotlight

ReciJournal

An open, cross-platform journaling program.

Screenshot

Project Spotlight

Veusz

A scientific plotting package.