How to sniff ssh traffic at Layer3/Layer4, GIVEN you have the private key?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

  1. that Alice is about to ssh to Bob;
  2. that Mallory possesses Alice's private key; and
  3. that Alice is on a Linux machine;

how can Mallory sniff the traffic between Alice and Bob?

If necessary, we can also assume,
  4. that Mallory also has root access to Alice's machine.

I'm interested in knowing if this sniffing can be done using the standard L=
inux toolset, or will it require a custom C/Perl program?=20

I'd also like to know how, at the TCP/IP (layer4/layer3) level, I could pie=
ce together the sniffed IP packets between 2 applications communicating in =
plain, unencrypted text/binary? For example, if Alice and Bob are sending h=
uge files x and y respectively to each other over an unencrypted TCP/IP pip=
e using, say, a simple sockets-based client/server program, then using what=
 techniques and tools (from the Linux toolset) can I piece together the fil=
es x and y that got sent from either side?=20

I know, e.g., that I could snort to log the traffic, but I don't know how p=
iece together the packets.

Many thanks,

PS: Though I mentioned Alice ssh'ing Bob above, she could just as well be s=
cp'ing a huge file. I'm assuming the fundamental technique/process used to =
crack open the communication between them will be identical for both ssh an=
d scp.

Re: How to sniff ssh traffic at Layer3/Layer4, GIVEN you have the private key?

Quoted text here. Click to load it

let's say "Bob's machine", since SSH is not a person-to-person protocol.

Quoted text here. Click to load it

He can mount a man-in-the-middle attack and hope that Alice doesn't
check the fingerprint before accepting the server's host key and that,
if Bob's machine's host key is already listed in her known_hosts file,
she not only ignores her SSH client's warning about duplicate keys but
also removes the existing entry before trying again.

In other words, exactly what he would do if he didn't have Alice's
private key.  Alice's private key is only used for authentication, not
for encryption, so he doesn't gain much from knowing it - except for the
ability to log in on Bob's machine as Alice, which may or may not enable
him to snoop on Alice, depending on whether (and how well) Bob's machine
is hardened and on what Alice uses SSH for.

Quoted text here. Click to load it

That's easy.  He can replace the SSH client with one that logs
everything, or just snoop Alice's tty.

Dag-Erling Smørgrav -

Re: How to sniff ssh traffic at Layer3/Layer4, GIVEN you have the private key?

On Monday, April 30, 2012 2:51:20 PM UTC+5:30, Dag-Erling Sm=F8rgrav wrote:
Quoted text here. Click to load it

Fair enough.

Using opensource tools, I'd like to carry out an actual (ethical) MITM atta=
ck between two hosts that I control. Where can I get more, hands-on type of=
 info about this?

Although the subject of this post mentions 'ssh', I'd like the equivalent i=
nfo for SSL as well.

I don't mind writing some brief code in C/Perl if necessary, but I'm hoping=
 I will not have to understand all the gory details of SSH and SSL protocol=

Site Timeline