On Fri, Mar 07, 2003 at 08:31:58PM +0800, daddy wrote: > is it possible to fake live IPs. ( AFAIK you can only spoof loopback IP. ) > because i was wondering they already put into place allowed hosts on > sshd_config... is it possible to bypass it by some remote host saying that he > is one of the IP listed in the conf...?
Yes, it is certainly possible to do all of this. This is the exact attack described in Phrack 48 for TCP connection hijacking and IP spoofing, but it involves TCP sequence number prediction, which is all but impossible under current versions of Linux. You can read all about it here: http://www.phrack-dont-give-a-shit-about-dmca.org/phrack/48/P48-14 It won't work for SSH of course, but RSH (because it's one of those obsolete protocols that don't use cryptography) is vulnerable. SSH doesn't just believe the IP you have like RSH does; it does a zero knowledge authentication protocol based on the valid hostkey first, so it's not as simple as the Phrack article describes. You have to steal the private key first, but in order to do that you probably already have to have root on the box you're trying to impersonate, so there's no point in doing the attack. -- Rafael R. Sevilla <dido at imperium dot ph> +63(2)8123151 Software Developer, Imperium Technology Inc. +63(917)4458925 "Under the cloud of threatening war, it is humanity hanging from a cross of iron." _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
