SSH-MITM

SSH-MITM
Developer(s)	Manfred Kaiser
Initial release	June 11, 2020
Stable release	0.4.0 / 12 February 2021; 3 years ago
Written in	Python
Engine
Operating system	Multi-platform
License	LGPL-3.0
Website	ssh-mitm.at

Search SSH-MITM on Amazon.

SSH-MITM is a man in the middle SSH Server for security audits and malware analysis. Unlike other ssh servers, SSH-MITM is used to forward a ssh session to another server and log the complete session and file transfers.

Technology[edit]

SSH-MITM uses Python Paramiko as ssh library which implements version 2 of the Secure Shell (SSH) protocol. ^[2]

SSH version 1 is not supported. Due to this limitations, SSH-MITM is not able to do a downgrade attack on a ssh session.

Features[edit]

SSH-MITM is used to analyze ssh sessions during security audits and malware analysis. To intercept the session, SSH-MITM has to act as a man in the middle server and supports password and public key authentication.

If the ssh client uses password for authentication, the credentials can be reused to authenticate against the remote server. Intercepting public key authentication is possible, but has some limitations, which can be circumvented, if the clients forwards the ssh-agent. If the ssh-agent is forwarded to SSH-MITM, the agent can be used to authenticate against remote servers.

After the client has connected to SSH-MITM, the terminal session is hijacked and it is possible to interact with the shell on the remote server. It is also possible to store or modify files during SCP and SFTP file transfers.

Security Audits[edit]

SSH-MITM can be used for security audits and has checks for some known vulnerabilities like an information leak in OpenSSH up to Version 8.4.

CVE-2020-14145[edit]

In cases, where the OpenSSH client has knowledge about the remote servers fingerprint, SSH-MITM is able to detect that the client will abort the connection with a man in the middle attack attempt. This is possible because some clients have an Information leakage, when connecting to a ssh server. If the client connects for the first time, a list of crypto algorithms are sent in a predefined order, but when the client has knowledge about the remotes fingerprint, the algorithms are sent in a different order.

NIST and MITRE references SSH-MITM as a tool to check if a client is affected against CVE-2020-14145. ^[3] ^[4]

Security implications[edit]

SSH-MITM is a man in the middle tool and should only used for security audits or malware analysis.

Due to the fact, that known exploits for ssh clients are implemented ^[5] and used to intercept the clients, SSH-MITM should be treated as a security risk and must not be used as jump server.

Platforms[edit]

SSH-MITM is written in Python, which allows the server to run on different platforms like Linux, Microsoft Windows and MacOS.

The main development platform is Linux, because the server supports the Tproxy kernel feature, which is used for transparent proxy support.

Licensing[edit]

SSH-MITM is open source, licensed under the LGPL-3.0 ^[6]

References[edit]

↑ "SSH-MITM Releasea". Retrieved 1 March 2021.
↑ "Python Paramiko".
↑ "NIST - CVE-2020-14145".
↑ "MITRE - CVE-2020-14145".
↑ "SSH-MITM Implementation of CVE-2020-14145".
↑ "SSH-MITM license".

External links[edit]

This article "SSH-MITM" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:SSH-MITM. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.

[SSH-MITM_releases-1] "SSH-MITM Releasea". Retrieved 1 March 2021.

[Python_Paramiko-2] "Python Paramiko".

[NIST-CVE-2020-14145-3] "NIST - CVE-2020-14145".

[MITRE-CVE-2020-14145-4] "MITRE - CVE-2020-14145".

[SSH-MITM_Implementation_of_CVE-2020-14145-5] "SSH-MITM Implementation of CVE-2020-14145".

[SSH-MITM_license-6] "SSH-MITM license".

[1]

[2]

[3]

[4]

[5]

[6]