On Thu, 2004-11-04 at 12:14, HaJo Schatz wrote: > On Thu, 2004-11-04 at 23:49, Scot L. Harris wrote: > > > At what point does the system log the ssh attempt? If it is after the > > initial 3 way handshake then I think an ssh attempt could be spoofed > > without having to receive packets back from the target system. From > > what I can tell it appears that when you initiate an ssh attempt the > > standard 3 way handshake is started. You send a SYN packet, the target > > sends a SYN ACK packet. Normally since you would not get the SYN ACK > > packet the connection would not be completed. However if you > > manufacture a ACK packet and send that a few seconds after you send the > > SYN packet I think you would have a good chance of completing the > > handshake. If that gets logged as an SSH attempt then the active > > response system in place may block the spoofed sender IP address. > > I have tried that. You have to have your login and password transmitted > before the log entry appears through syslog (which makes sense, as the > credentials appear in the log as well). I believe it's pretty hard to > "pre-guess" (what a word) the authentication/encryption handshake to > spoof an IP ;-) That makes sense. Will have to find some time to look at this a little more. :) -- Scot L. Harris webid@xxxxxxxxxx Yield to Temptation ... it may not pass your way again. -- Lazarus Long, "Time Enough for Love"
