[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Systematically finding bad relays (was: Anecdotical experience of SSH MITM)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Systematically finding bad relays (was: Anecdotical experience of SSH MITM)
From: eric gisse <jowr.pi@xxxxxxxxx>
Date: Wed, 19 Jul 2017 16:39:41 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 19 Jul 2017 17:40:03 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=kFF8FhDU8Yo9P8fuL/uTs4kXwQyXXF6Oj9AQqTi31Z0=; b=FDDgP1yl/A2ExY7k0gIWVvHW9Hkfvy9fvBppeGoIhpVyndxzJWdz4UGQ7UMRDNYHfY zSx00o+zr1TLEZqCoyyOCJJGQm5dGMTzu5NRfvl2mtmkv0qE+/28yPwViwwEmvQbZJ+Q GNwXz05SX2/FSMByOdk9wlyGer8hFmMc5tsIcufuMP7OxuSO6LmxESiVOFkdEffT4M0l D4fBvlcEM9+HpFJ95DtBEj/9VtYUG+JFVuPX2EAl4RFu2qS75v/xhlyIhjiTw5Oq0tPH xkhONEjoxG6s6Z/j27ouTaUcdpNs1Q+Dno3KfPWejp//LO9keCpyEwHdp+dgOdl3jJRD t0FQ==
In-reply-to: <20170719200257.gj6mgoudf7jxyapk@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20170715113352.GA18799@lo.psyced.org> <9D52FEE1-7379-40D7-BB72-28E51BB317FF@riseup.net> <20170719145913.GA29141@lo.psyced.org> <20170719173654.qmrewtszjmlv7hqs@riseup.net> <CAHZ_AjuVsOKFooDB9isWFzga169a6e6VtAm0o11tzjX31gM7bA@mail.gmail.com> <20170719200257.gj6mgoudf7jxyapk@riseup.net>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Ooooooh, fascinating.

The academic paper is interesting and covers the high points of the
type of things you would want to look for. And some things you
wouldn't think that you should, like connection sampling rather than
binary "is sniffing" / "is not sniffing". (ha ha, n^2 fuckup)

Looking at the exitmap source, as I was curious what modules
existed....the problem I see is that it does not have modules that are
capable of the more difficult to pull off things like SSH honeypot
detection.

Should have called the damn thing "inverse-metasploit".

The idea is solid but the implementation has to keep up with the
times. Specific attack vectors like
CVE-2014-3566 (or any other sort of TLS/SSL downgrade attack) need to
be tested for, and all that. Which makes the "inverse-metasploit"
notion all the more compelling.

Other things come to mind like testing for binary patching (eg, ninja
exe patching).

Some of these things are easier to detect than others.

I'm going to put a pin in this and think about it.

On Wed, Jul 19, 2017 at 3:02 PM, Philipp Winter <phw@xxxxxxxxx> wrote:
> On Wed, Jul 19, 2017 at 01:43:32PM -0500, eric gisse wrote:
>> Is there any notion of doing a sort of automated testing for things
>> like this that can be easily proven?
>
> Yes, the blog post I linked to contains some more information.  We are
> using tools such as exitmap [1] to systematically scan the network for
> attacks such as DNS poisoning, SSL stripping, HTTPS MitM, and XMPP MitM,
> just to name a few.  We are always looking for more ideas on what to
> scan for, so let us know if you have any!
>
> [1] <https://gitweb.torproject.org/user/phw/exitmap.git/>
>     <https://nymity.ch/pdf/winter2014b.pdf>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Systematically finding bad relays (was: Anecdotical experience of SSH MITM)
  - From: Philipp Winter

References:
- [tor-talk] Anecdotical experience of SSH MITM
  - From: carlo von lynX
- Re: [tor-talk] Anecdotical experience of SSH MITM
  - From: flipchan
- Re: [tor-talk] Anecdotical experience of SSH MITM
  - From: carlo von lynX
- Re: [tor-talk] Anecdotical experience of SSH MITM
  - From: Philipp Winter
- Re: [tor-talk] Anecdotical experience of SSH MITM
  - From: eric gisse
- [tor-talk] Systematically finding bad relays (was: Anecdotical experience of SSH MITM)
  - From: Philipp Winter

Prev by Author: Re: [tor-talk] Tor Router
Next by Author: Re: [tor-talk] CIA attacking SSH (was tor-talk Digest, Vol 78, Issue 4)
Previous by thread: [tor-talk] Systematically finding bad relays (was: Anecdotical experience of SSH MITM)
Next by thread: Re: [tor-talk] Systematically finding bad relays (was: Anecdotical experience of SSH MITM)
Index(es):
- Author
- Thread