[lug] WRT54GL is snarfing ssh port-forwarded HTTP traffic

David L. Anselmi anselmi at anselmi.us
Sat Jun 9 18:53:10 MDT 2012


Jed S. Baer wrote:
> So I take machine A and connect to a wifi network, to tunnel in to B, as
> follows:
> ssh -L 10101:hostname:80 -p portnum user at hostname
> where portnum is the port sshd is listening on, on host B
[...]
> When I fire up a web browser to connect to http://localhost:10101/, what
> happens is I get the http auth dialog from the WRT's internal web server.
> If I attempt to use http://localhost:10101/doku/ I get an error page
> showing '400 bad request illegal filename'.

So I would conclude that your browser is connecting to the WRT, not the local SSH socket that is 
forwarded.  Is there any causing localhost to resolve to the WRT's address?

> I've used wireshark to try to see what's happening, and nothing reveals
> itself. I don't see unencrypted http packets outbound from A. If I snoop
> on eth0 and the loopback device on B, there's nothing to see, because
> nothing is getting through. If I snoop on the ethernet device on A I see
> the unencrypted traffic from the WRT.

How is the WRT sending HTTP to A?  What ports on A and the WRT?  Who sent the SYN to set up the 
connection?

Dave



More information about the LUG mailing list