No system is an island - Using Windows And Tech Step By Step

MITM and SSH :

MITM (Man In The Middle) attacks in network security is an effective attack technique for compromising a system.
Let's take an example of MITM attack on SSH.SSH is a secure remote login operating on port 22 relying on public-private key concept.

Say,I am connecting remotely to one of the boxes running a web server from my windows machine using putty.The dialog box basically tells me that the key on remote end is not a verified one and do I want to cache it on my client for subsequent connections.Note the key which it displays :
34:51:a6:55:db:81:3e:76:72:e9:e9:4c:29:cc:c5:83

I login successfully and check if that is the key on server end :

apache@apache:/etc/ssh$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 34:51:a6:55:db:81:3e:76:72:e9:e9:4c:29:cc:c5:83

This is how SSH works,now lets see what happens if there is a MITM attack :

Normal scenario :
=========================================================
Client ---- Gateway
Gateway---Client
Client----SSH server

MITM scenario:
==========================================================
Client---Gateway
Gateway---MITM box---Client
Client---MITM box---SSH server

As it is obvious,this time the fingerprint of server changes and Putty displays a security warning which should be observed,clicking Cancel will prevent immediate damage.This does not mean that everytime the security breach warning is given indicates a MITM attck,it can be the case that the ssh version of software may have been upgraded.

Sure shot way to investigate this is run a packet sniffer when ssh transactions take place and compare the MAC addresses of the box you are trying to access.Any discrepancy and you can be sure of something fishy.

One tool for MITM attack is ettercap.Here is how it works :

Box on which it is installed sends a spoofed ARP query to all other boxes making them believe that this is the legitimate box.Queries/packets directed to legitimate machines will be intercepted and manipulated by the rogue box.
In our scenario,this is the box which will advertise itself as the legitmate SSH box,however the fingerprint changes which ideally should raise few alarms.
Please note that spoofed arp requests by ettercap are all dynamic,making a static arp entry on a box will make the spoofing useless however it is not totally effective.So even if we make the client arp entry as static,the gateway stil has the spoofed entry which it thinks is the client.

This was one of my posts on network security,will continue to post more as I can get my mortal mind to understand the intricacies of networks and ways to secure them.

Friday July 27 2007 - Systems Admin Day.

Definition of a sysadmin as per www.sysadminday.com is :

A sysadmin is a professional, with complex skills, ethical challenges, and a daunting job. Many, if not most, people find computers difficult to use, and sometimes they're unreliable. Being a sysadmin doesn't absolve someone of dealing with unreliable computers. Oh, one can dream of such a day, but the opposite is true; no one sees more dead computers in a day than a sysadmin. No one sees them doing truly baffling things, and no one has more stories of computers failing, acting possessed, or even catching on fire.

The challenge of a sysadmin is making a computing system -- a whole network of resources and servers and software -- work together, work right, work even when parts of it fail -- and work for you.

It was business as usual,however the day seemed special.

So all you folks out there who control the boxes that can be pinged or tracerouted....Happy Systems Admin Day.

Some time back,I had installed Ubuntu on VMWare to setup as a web testing environment(LAMP server).Today,I booted the VM,then forgot what the password was.
Here is what I did that saved me the complete reinstall :

1.Press Esc during grub menu when the system boots up.
2.Type e and highlight the line option that says kernel.
3.Press e again.
4.In the CLI,at the end of line you can add this : rw init=/bin/bash
5.Reboot the system
6.Now,since the kernel parameters have been changed to launch bash at init,we can get full root access post boot on the command line.
7.I resetted the password for my username with passwd and after rebooting voila,I was able to login from GUI.

The funny thing about Linux/Unix is there are n no of ways to do things that you think can be done by one method.I was going to use live CD to do some R&D on this,but ubuntu forums saved me the extra work with the above method.

My first post,hopefully many more to come.

Today is Sunday and here I am,with my T60p typing stuff that pops in my mortal mind listening to James Blunt - You are beautiful.
Liked the song,checked his biography on wiki,he was a captain in British army and penned the lyrics of some of his songs when he was in Kosovo on a peacekeeping mission.Interesting biography though.
en.wikipedia.org/wiki/James_Blunt
http://youtube.com/watch?v=8Y7WDWP8WMs