Man in the Middle/SSH
It is possible to man-in-the-middle an SSH connection.
First, let's discuss how SSH works, then enumerate we'll the different ways of attacking it.
How SSH works
SSH works by creating a secure (SSL) connection between two computers. The process is similar to, but not the same as, the way a browser makes an HTTPS connection.
SSH is ultimately a connection happening at network layer 4 - the transport layer - the TCP layer. SSH sessions are just a series of TCP packets being exchanged. So a MITM attack on SSH looks much like a MITM attack on HTTP, HTTPS, or any other kind of traffic.
Suppose a sheep is connecting to a server. To verify the identity of the server, the server will send its public key (the public "fingerprint" portion of its RSA keys) over to the sheep. (If you encrypt traffic using that public key, only the person in control of the corresponding private key can decrypt it.) The sheep will check whether this is a machine whose hostname or IP address they have connected to before (in .ssh/known_hosts file).
Suppose the sheep has connected to this machine hostname before Then the sheep will compare the public key that was sent by the server to the public key that the sheep saw previously (and recorded in a file). If the two match, it means it's the same machine as before, and the sheep trusts it. The sheep will proceed with the SSH connection. If the public keys do not match, you'll see a big warning message about a possible man-in-the-middle attack, or someone trying to do something nasty. This is because the public key has changed - the same hostname now leads to a different machine. To bypass the message, the sheep must explicitly remove the existing entry from their known hosts file.
This could happen because of a man-in-the-middle attack - similar to the way an attacker might present a fake certificate that doesn't check out with the domain. Or, it could happen because the IT department rerouted some hostnames to different machines.
SSH MITM attack types
A successful MITM attack on SSH can happen a couple of ways:
- An attack on the protocol, to downgrade the encryption cipher or SSH/SSL version being used
- An attack that obtains the sheep's private keys
More on protocol attacks goes here.
Keys Treasure Trove
A treasure trove of keys:
- Rapid7 ssh-badkeys: https://github.com/rapid7/ssh-badkeys
- devttys0 littleblackbox: https://github.com/devttys0/littleblackbox
- BenBE kompromat: https://github.com/BenBE/kompromat
man in the middle attacksin which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: Man in the Middle/Wireless
Wired Attacks: Man in the Middle/Wired
Layer 1 and 2 MITM Attacks:
Network Tap: Man in the Middle/Wired/Network Tap
Layer 3 and 4 MITM Attacks:
ARP Poisoning: Man in the Middle/ARP Poisoning
Traffic Injection/Modification: Man in the Middle/Traffic Injection
DHCP Attacks: Man in the Middle/DHCP
WPAD MITM Attack: Man in the Middle/WPAD
Port Stealing: Man in the Middle/Port Stealing
Rushing Attack: Man in the Middle/Rushing Attack
Attacking HTTPS: Man in the Middle/HTTPS
Session Hijacking: Man in the Middle/Session Hijacking
Man in the Middle Labs:
Dsniff ARP Poisoning:
Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi
Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images
MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers
Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File
Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info
Bettercap to MITM Android Phone: MITM Labs/Bettercap Android EvoFlags · Template:MITMFlag · e