On Fri, 20 Dec 2002, Janssen, Steph wrote: > I'm afraid it only brings a small amount of safety. Also the Promiscous part > is getting a bit different. > > Nowadays most people who sniff, sniff using tools that poison your > arp-cache, in your switches. http://ettercap.sourceforge.net/ is a good
> > This makes the machine sniffing you the machine in the middle, and would it > detect an ssh-connection, it wil "put you through" like a receptionist, that > way maintaining two sessions. One with you, and one with the server you Quote from above web page :- SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX According to mailing lists that specilize in ssh, this was due to a bug in SSH protocol v 1, that is not present in SSH protocol v 2 ettercap does not claim to sniff ssh v 2. So until a bug is found in protocol v 2, you need to * acquire an ssh tool that supports it (recent versions of sssh, OpenSSH and puTTy support it) * disable protocol v 1 in this tool (preferably in client and server.) * if your tool warns you about an unknown host key, take it seriously. Transmit and install trusted host keys by a seure channel, as the unknown host key may belong to the 'man in the middle' sniffer. Although I use protocol v 2 for this reason, I am not a penetration tester so have not proven its effectiveness myself. I think that right now I am safe from ettercap kids any way. David.
