[lug] WRT54GL is snarfing ssh port-forwarded HTTP traffic
Jed S. Baer
blug at jbaer.cotse.net
Sat Jun 9 21:11:14 MDT 2012
On Sat, 09 Jun 2012 18:53:10 -0600
David L. Anselmi wrote:
> Jed S. Baer wrote:
> > So I take machine A and connect to a wifi network, to tunnel in to B,
> > as follows:
> > ssh -L 10101:hostname:80 -p portnum user at hostname
> > where portnum is the port sshd is listening on, on host B
> [...]
> > When I fire up a web browser to connect to http://localhost:10101/,
> > what happens is I get the http auth dialog from the WRT's internal
> > web server. If I attempt to use http://localhost:10101/doku/ I get an
> > error page showing '400 bad request illegal filename'.
>
> So I would conclude that your browser is connecting to the WRT, not the
> local SSH socket that is forwarded. Is there any causing localhost to
> resolve to the WRT's address?
Well, that is a good question, and if that's what's happening, I would
sure like to figure out why. At one point in testing, I was able to use
netstat to show an open socket from a 30,000 range port (I assume opened
by the web browser for the outgoing connect) to 10101, on the loopback
device, and another going the other direction. I think this was while I
was using Firefox. I also tested using Uzbl, Lynx, and wget. I admit to
being stumped as to how localhost on machine A would somehow resolve to
192.168.0.1, or to the routable IP address of the WRT. A suggested
incantation to type at the command line would help, because I must not be
looking in the right place.
> > I've used wireshark to try to see what's happening, and nothing
> > reveals itself. I don't see unencrypted http packets outbound from A.
> > If I snoop on eth0 and the loopback device on B, there's nothing to
> > see, because nothing is getting through. If I snoop on the ethernet
> > device on A I see the unencrypted traffic from the WRT.
>
> How is the WRT sending HTTP to A? What ports on A and the WRT? Who
> sent the SYN to set up the connection?
>
> Dave
Well, I admit I didn't look at that specifically, because I was
gobsmacked at seeing unencrypted traffic over what was supposed to be an
encrypted ssh tunnel. I will see what I can find with wireshark again.
jed
More information about the LUG
mailing list