FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-04-2009, 10:14 PM
"Joseph L. Casale"
 
Default two questions about ssh tunneling

>if I:
>
>ssh -fND localhost:6000 somebody@192.168.56.5 -p PORTNUMBER
>
>from computer "A" to computer "B" [B = 192.168.56.5] then I can set the SOCKS proxy for e.g.: Firefox to use "localhost:6000" on computer "A". Ok. I can surf the web through "B".
>
>But:
>- Can anyone sniff the traffic of "A"? [e.g.: computers on same subnet as "A"] Like DNS requests? - I think no, but I'm not sure :O

Sure, that possible if your name resolution traverses a network path interceptable
by the guy sniffing.

>- Can anyone sniff the traffic of computer "B"? e.g.: B computer is at a server farm [others in the farm can see the traffic?] - I think yes, but I'm not sure :O

Same thing, if the outbound web traffic leaves that host via a route another op has
access to, like a switch with a mirror port, he can easily see what's moving back and
forth.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-04-2009, 10:40 PM
Andrew Harley
 
Default two questions about ssh tunneling

On Sat, 5 Dec 2009 10:14:01 am Joseph L. Casale wrote:

> >if I:

> >

> >ssh -fND localhost:6000 somebody@192.168.56.5 -p PORTNUMBER

> >

> >from computer "A" to computer "B" [B = 192.168.56.5] then I can set the

> > SOCKS proxy for e.g.: Firefox to use "localhost:6000" on computer "A".

> > Ok. I can surf the web through "B".

> >

> >But:

> >- Can anyone sniff the traffic of "A"? [e.g.: computers on same subnet as

> > "A"] Like DNS requests? - I think no, but I'm not sure :O

>

> Sure, that possible if your name resolution traverses a network path

> interceptable by the guy sniffing.

>



You can tell firefox to use the socks proxy for DNS requests as well by typing about:config in the url bar and setting "network.proxy.socks_remote_dns" to true.




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-04-2009, 10:49 PM
Les Mikesell
 
Default two questions about ssh tunneling

Tudod Ki wrote:
> if I:
>
> ssh -fND localhost:6000 somebody@192.168.56.5 -p PORTNUMBER
>
> from computer "A" to computer "B" [B = 192.168.56.5] then I can set the
> SOCKS proxy for e.g.: Firefox to use "localhost:6000" on computer "A".
> Ok. I can surf the web through "B".
>
> But:
> - Can anyone sniff the traffic of "A"? [e.g.: computers on same subnet
> as "A"] Like DNS requests? - I think no, but I'm not sure :O

The packets between A and B will be be visible only as encrypted ssh
packets. DNS lookups will depend on the client socks protocol. Socks4
did the lookups on the client and was extended as socks4a to do dns on
the server. Socks5 lets the server handle dns.

> - Can anyone sniff the traffic of computer "B"? e.g.: B computer is at a
> server farm [others in the farm can see the traffic?] - I think yes, but
> I'm not sure :O

The A-B connection will appear here as well, as encrypted ssh packets.
The proxied outbound connections will be unencrypted but will appear to
originate from B. If you are the only one connected it wouldn't be too
hard to deduce what is going on - and the packets will mostly correspond
one for one timing wise. So, the connection wouldn't be obvious, but I
wouldn't count on not getting caught if you are doing something illegal.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-05-2009, 10:59 PM
Celejar
 
Default two questions about ssh tunneling

On Fri, 4 Dec 2009 14:13:11 -0800
Tyler MacDonald <tyler@macdonald.name> wrote:

...

> I believe when you use SOCKS, your browser stops doing DNS resolution and
> just hands the hostnames directly to the SOCKS server. So all they would be
> able to sniff is your encrypted SSH session, which they (hopefully) can't
> decrypt.

Are you sure that applications using SOCKS aren't doing their own DNS
resolution? The Tor FAQ suggests that they often do:

"Where SOCKS comes in. Your application uses the SOCKS protocol to
connect to your local Tor client. There are 3 versions of SOCKS you are
likely to run into: SOCKS 4 (which only uses IP addresses), SOCKS 5
(which usually uses IP addresses in practice), and SOCKS 4a (which uses
hostnames).

When your application uses SOCKS 4 or SOCKS 5 to give Tor an IP
address, Tor guesses that it 'probably' got the IP address
non-anonymously from a DNS server. That's why it gives you a warning
message: you probably aren't as anonymous as you think."

https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#SOCKSAndDNS

Celejar
--
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-05-2009, 11:54 PM
Celejar
 
Default two questions about ssh tunneling

On Fri, 4 Dec 2009 14:13:11 -0800
Tyler MacDonald <tyler@macdonald.name> wrote:

> Tudod Ki <tudodki88@yahoo.com> wrote:

...

> > - Can anyone sniff the traffic of computer "B"? e.g.: B computer is at a
> > - server farm [others in the farm can see the traffic?] - I think yes, but
> > - I'm not sure :O
>
> Yes, that's possible. However, in most colocated environments, you are on
> a switch, not a hub -- so in that case, the attacker would have to be
> sniffing directly from a router to see your traffic. If you want to know for
> sure, ask your ISP.

But IIUC, even where switches are used, MITM attacks to sniff traffic
are still possible for other hosts on the LAN, either through ARP
poisoning, or through port stealing if the switch isn't implementing
port security:

http://ettercap.sourceforge.net/forum/viewtopic.php?t=2392
http://ettercap.sourceforge.net/forum/viewtopic.php?t=2329

Celejar
--
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 05:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org