rootninja

When I attempt to log into a server that I don’t have a key for,

rootninja@localhost ~$ ssh root@awesome

The first thing I see is this familiar message. Of course I quickly ignore it and say “yes” so I can continue. The fingerprint gets stored in ~/.ssh/known_hosts.

The authenticity of host ‘awesome (10.1.10.42)’ can’t be established.
RSA key fingerprint is 4a:ej:1o:gk:7e:41:a2:e3:f4:95:16:c7:fh:za:dh:ca.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘awesome,10.1.10.42′ (RSA) to the list of known hosts.

Now I type in the password and i’m on my way.

root@awesome’s password:
Last login: Fri Feb 5 10:23:23 2010 from 64.13.134.48
[root@awesome ~]#

But how do I know I’m talking to the awesome server I was attempting to connect to? There’s a chance that someone else stepped in between me and awesome, taking whatever I type and forwarding it on to the real awesome server while posing as me.

For this example, lets keep it simple. In DNS, awesome is the name of the server at 10.1.1.42. So someone must have edited my hosts file and added an entry for awesome at 10.1.10.42. But I wasn’t paying attention, or didnt know the real address for awesome in the first place. It says root@awesome now that i’ve logged in, so why would I guess otherwise?

I can see a use of this type of attack for getting around captchas. If I host a web page that gives you access to download free mp3s, and all you have to do is complete a captcha to get it, what if I get that captcha from another site? I mean, when you load my page, I load the site I want to attack and show you their captcha instead?! That would basically make you my captcha-cracking-conscript!

Unless I had a lot of traffic, I guess I wouldn’t churn through captchas very fast, (especially with this captcha!) But seriously, real humans going through the captchas should actually make my traffic look very real. You could use this to create accounts on forums and blogs that require captchas in order to leave automated comments. You could even use the inputted captcha text to generate the account name. Not that i’m condoning this sort of behavior or anything! It’s just an interesting mental exercise. Don’t try this at home!