SSH-MITM is a man in the middle SSH Server for security audits and malware analysis.
Password and publickey authentication are supported and SSH-MITM is able to detect, if a user is able to login with publickey authentication on the remote server. This allows SSH-MITM to acccept the same key as the destination server. If publickey authentication is not possible, the authentication will fall back to password-authentication.
When publickey authentication is possible, a forwarded agent is needed to login to the remote server. In cases, when no agent was forwarded, SSH-MITM can rediredt the session to a honeypot.
- publickey authentication
- accept same key as destination server
- hijacking and logging of terminal sessions
- store and replace files during SCP/SFTP file transferes
- port porwarding
- audit clients against known vulnerabilities
- plugin support
SSH-MITM can be installed as a Ubuntu Snap, PIP-Package or AppImage and even runs on Android devices
# install ssh-mitm as snap package $ sudo snap install ssh-mitm # install ssh-mitm as python pip package $ pip install ssh-mitm
Install as AppImage
$ wget https://github.com/ssh-mitm/ssh-mitm/releases/latest/download/ssh-mitm-x86_64.AppImage $ chmod +x ssh-mitm*.AppImage
To start SSH-MITM, all you have to do is run this command in your terminal of choice.
$ ssh-mitm --remote-host 192.168.0.x:PORT
Now let’s try to connect. SSH-MITM is listening on port 10022.
$ ssh -p 10022 testuser@proxyserver
You will see the credentials in the log output.
INFO Remote authentication succeeded Remote Address: 127.0.0.1:22 Username: testuser Password: secret Agent: no agent
Getting the plain text credentials is only half the fun. When a client connects, the ssh-mitm starts a new server, which is used for session hijacking.
INFO ℹ created mirrorshell on port 34463. connect with: ssh -p 34463 127.0.0.1
To hijack the session, you can use your favorite ssh client.
$ ssh -p 34463 127.0.0.1
Try to execute somme commands in the hijacked session or in the original session.
The output will be shown in both sessions.
SSH-MITM is able to verify, if a user is able to login with publickey authentication on the remote server. If publickey authentication is not possible, SSH-MITM falls back to password authentication. This step does not require a forwarded agent.
For a full login on the remote server agent forwarding is still required. When no agent was forwarded, SSH-MITM can redirect the connection to a honeypot.
ssh-mitm --fallback-host username:password@hostname:port
ssh-mitm (this link opens in a new window) by ssh-mitm (this link opens in a new window)
ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation