https://github.com/ssh-mitm/ssh-mitm

SSH-MITM - ssh audits made simple
https://github.com/ssh-mitm/ssh-mitm

mitm mitm-attacks mitm-server mitmproxy proxy scp security security-audit security-tools sftp ssh ssh-client ssh-mitm ssh-server

Last synced: 17 days ago
JSON representation

SSH-MITM - ssh audits made simple

• Host: GitHub
• URL: https://github.com/ssh-mitm/ssh-mitm
• Owner: ssh-mitm
• License: gpl-3.0
• Created: 2020-06-03T16:18:48.000Z (about 4 years ago)
• Default Branch: master
• Last Pushed: 2024-05-21T18:14:02.000Z (about 2 months ago)
• Last Synced: 2024-05-21T19:41:16.841Z (about 2 months ago)
• Topics: mitm, mitm-attacks, mitm-server, mitmproxy, proxy, scp, security, security-audit, security-tools, sftp, ssh, ssh-client, ssh-mitm, ssh-server
• Language: Python
• Homepage: https://docs.ssh-mitm.at
• Size: 99.9 MB
• Stars: 1,233
• Watchers: 25
• Forks: 130
• Open Issues: 13
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Security: SECURITY.md

Lists

• awesome-stars - ssh-mitm - mitm | 939 | (Python)
• awesome-stars - ssh-mitm/ssh-mitm - `★1244` SSH-MITM - ssh audits made simple (Python)
• awesome-stars - ssh-mitm - mitm | 334 | (Python)
• awesome-stars - ssh-mitm/ssh-mitm - `★1186` SSH-MITM - ssh audits made simple (Python)
• awesome-starred - ssh-mitm/ssh-mitm - SSH-MITM - ssh audits made simple (security)
• awesome-hacking-lists - ssh-mitm/ssh-mitm - ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation (Python)
• awesome-ssh - SSH-MITM - mitm/ssh-mitm.svg?style=social&label=stars)](https://github.com/ssh-mitm/ssh-mitm) - ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation (Honeypots)

README

        
 SSH-MITM - ssh audits made simple 



  

    

  

  
ssh man-in-the-middle (ssh-mitm) server for security audits supporting
 publickey authentication, session hijacking and file manipulation

  


   

      

   

      

   

   


   


   

  


Contributors





  





## Table of Contents

- [Introduction](#introduction)

- [Features](#features)

- [Installation](#installation)

- [Quickstart](#quickstart)

- [Session hijacking](#session-hijacking)

- [Phishing FIDO Tokens](#phishing-fido-tokens)

- [Contributing](#contributing)

- [Contact](#contact)

## Introduction

[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)

[![CodeFactor](https://www.codefactor.io/repository/github/ssh-mitm/ssh-mitm/badge)](https://www.codefactor.io/repository/github/ssh-mitm/ssh-mitm)

[![Documentation Status](https://readthedocs.org/projects/ssh-mitm/badge/?version=latest)](https://docs.ssh-mitm.at/?badge=latest)

[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)

[![GitHub](https://img.shields.io/github/license/ssh-mitm/ssh-mitm?color=%23434ee6)](https://github.com/ssh-mitm/ssh-mitm/blob/master/LICENSE)



**SSH-MITM** is a man in the middle SSH Server for security audits and malware analysis.

Password and **publickey authentication** are supported and SSH-MITM is able to detect, if a user is able to login with publickey authentication on the remote server. This allows SSH-MITM to accept the same key as the destination server. If publickey authentication is not possible, the authentication will fall back to password-authentication.

When publickey authentication is possible, a forwarded agent is needed to login to the remote server. In cases, when no agent was forwarded, SSH-MITM can rediredt the session to a honeypot.

(back to top)


## Features

* publickey authentication

   * accept same key as destination server

   * Phishing FIDO Tokens ([Information from OpenSSH](https://www.openssh.com/agent-restrict.html))

* hijacking and logging of terminal sessions

* store and replace files during SCP/SFTP file transferes

* port porwarding

  * SOCKS 4/5 support for dynamic port forwarding

* intercept MOSH connections

* audit clients against known vulnerabilities

* plugin support

(back to top)


## Installation

**SSH-MITM** can be installed as a

[Flatpak](https://flathub.org/apps/at.ssh_mitm.server),

[Ubuntu Snap](https://snapcraft.io/ssh-mitm),

[AppImage](https://github.com/ssh-mitm/ssh-mitm/releases/latest)

and [PIP-Package](https://pypi.org/project/ssh-mitm/).

Community-supported options include installations via `[Nix](https://search.nixos.org/packages?channel=unstable&show=ssh-mitm&type=packages&query=ssh-mitm) and running on [Android devices](https://github.com/ssh-mitm/ssh-mitm/discussions/83#discussioncomment-1531873).

Install from Flathub:

    flatpak install flathub at.ssh_mitm.server

    flatpak run at.ssh_mitm.server

Install from Snap store:

    sudo snap install ssh-mitm

Install as AppImage:

    wget https://github.com/ssh-mitm/ssh-mitm/releases/latest/download/ssh-mitm-x86_64.AppImage

    chmod +x ssh-mitm*.AppImage

Install python package:

    python3 -m pip install ssh-mitm

For more installation methods, refer to the [SSH-MITM installation guide](https://docs.ssh-mitm.at/get_started/installation.html).

(back to top)


## Quickstart

To start SSH-MITM, all you have to do is run this command in your terminal of choice.

    ssh-mitm server --remote-host 192.168.0.x

Now let's try to connect. SSH-MITM is listening on port 10022.

    ssh -p 10022 testuser@proxyserver

You will see the credentials in the log output.

    INFO     Remote authentication succeeded

        Remote Address: 127.0.0.1:22

        Username: testuser

        Password: secret

        Agent: no agent

(back to top)


## Session hijacking

Getting the plain text credentials is only half the fun.

When a client connects, the ssh-mitm starts a new server, which is used for session hijacking.

    INFO     ℹ created mirrorshell on port 34463. connect with: ssh -p 34463 127.0.0.1

To hijack the session, you can use your favorite ssh client.

    ssh -p 34463 127.0.0.1

Try to execute somme commands in the hijacked session or in the original session.

The output will be shown in both sessions.

(back to top)


## Phishing FIDO Tokens

SSH-MITM is able to phish FIDO2 Tokens which can be used for 2 factor authentication.

The attack is called [trivial authentication](https://docs.ssh-mitm.at/trivialauth.html) ([CVE-2021-36367](https://docs.ssh-mitm.at/CVE-2021-36367.html), [CVE-2021-36368](https://docs.ssh-mitm.at/CVE-2021-36368.html)) and can be enabled with the command line argument `--enable-trivial-auth`.

  ssh-mitm server --enable-trivial-auth

Using the trivial authentication attack does not break password authentication, because the attack is only performed when a publickey login is possible.



  Video explaining the phishing attack:


  Click to view video on vimeo.com


  

  

  





  Downlaod presentation slides



(back to top)


## Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are **greatly appreciated**.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".

Don't forget to give the project a star! Thanks again!

1. Fork the Project

2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)

3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`)

4. Push to the Branch (`git push origin feature/AmazingFeature`)

5. Open a Pull Request

See also the list of [contributors](https://github.com/ssh-mitm/ssh-mitm/graphs/contributors) who participated in this project.

(back to top)


## Contact

- E-Mail: [email protected]

- [Issue Tracker](https://github.com/ssh-mitm/ssh-mitm/issues)

(back to top)