ssh-mitm icon indicating copy to clipboard operation
ssh-mitm copied to clipboard
verified publisher icon jtesta

Intercept public key authentication and put client in fake environment

Open jtesta opened this issue 8 years ago • 6 comments

Public key authentication doesn't divulge any useful information to an attacker, hence a true MITM can't be done. However, it is possible to intercept the connection and drop the victim into a fake environment hosted on the attacker's machine. This would be difficult to trick humans with (since they would expect the target server to be a certain way, and would quickly notice the glaring differences), but automated client processes could leak lots of sensitive information.

For example, an automated client process may ignore the mismatched host key, log in with key authentication (which drops them into a fake environment--no interaction with the real server ever occurs), then immediately issue a sudo or su command and supply the root password (which we can log!). Of course, after that, the client would try to run programs/read files that don't exist, which would result in failure. However, the attacker can potentially observe this process, update their fake environment iteratively, and eventually provide the structure that the automated client expects, yielding more sensitive data.

This would be rather sneaky!

jtesta avatar Mar 28 '18 12:03 jtesta

Hi,

What happens at the moment if someone uses public key to log on a server? Does the connection still succeed? Do we still get the interactive / SFTP session log? (which is what I'm actually interested in)

Thanks.

kubrickfr avatar Sep 01 '18 15:09 kubrickfr

Sorry for the late response. I didn't notice this until now.

If someone uses a public key, then currently the connection will fail. I made a note in the TODO list of the README that a mechanism should be added to automatically de-spoof pubkey-only connections. At the moment, the best thing to do would be keep an eye on the process and manually remove IPs from arpspoof/ettercap if you notice the connections failing for them.

jtesta avatar Sep 05 '18 12:09 jtesta

+1 for public key support and fake environment!

antnks avatar Dec 20 '18 12:12 antnks

When I tried your pubkey_auth branch, this breaks password authentication.

I have 2 users. One is allowed to login with public key and the other can only login with a password.

When enabling public key authentication, both users are forced to login with publickey authentication.

Why is password authentication broken, when public key is enabled?

I read on another page that this should be possible: https://pypi.org/project/ssh-mitm/

I'm not using ubuntu, so I can not use your prebuilt snap :disappointed:

littlebear2 avatar Sep 13 '21 17:09 littlebear2

My pubkey_auth branch is not yet completed. Also, the project you referenced on PyPI is not mine.

-- Joseph S. Testa II Founder & Principal Security Consultant Positron Security

jtesta avatar Sep 13 '21 18:09 jtesta

Thanks for the response :+1: I will try the other project

littlebear2 avatar Sep 14 '21 16:09 littlebear2