📜 ⬆️ ⬇️

MiTM attack on ssh

The new version of Intercepter-NG has the opportunity to conduct a full-fledged attack on the SSH-2 protocol.

The attacker receives the user authorization data and logs the entire communication session, the launch of commands and the result of their execution.
To do this, Intercepter redirects the victim's traffic to its own ssh server and in case of successful authorization
proxies the connection to the original server.

If the victim’s terminal program had a cached fingerprint of the key from the remote server,
then at the time of authorization will be issued a warning about its change.
This is the only suspicious moment that occurs during an attack.

Fortunately, the attacker, not all (even experienced) people will react to this warning properly.
Until today, the attack on SSH was rather theoretical, due to the lack of its practical implementation.
And not always the attacked user is the administrator of the ssh server, for him the change of keys and warnings have no meaning.
')
The server built into Intercepter ssh supports 2 authentication mechanisms: password and keyboard-interactive .
During the communication session, the user can run pseudographic applications (for example, mc), everything will work correctly. Intercepter also monitors the WINDOW_CHANGE message and when the terminal window is resized, the entire schedule will be redrawn to the new size.

The attack is designed only for a terminal session, SFTP is not supported. If the victim still starts the SFTP session, the authorization will be intercepted, but then the connection will be terminated and the session will be marked in a special way. When reconnecting, Intercepter will skip this session directly, allowing the victim to normally establish an SFTP session with the original server.

It is worth remembering that when proxying an ssh connection, the attacker inevitably leaves his ip address in the server logs.
In the expert settings mode, you can set the appropriate option, which will force the ssh server to terminate the connection immediately after intercepting the login and password. After that, it is advisable to stop the attack and allow the victim to calmly connect to the correct server.

To protect against attacks, you can use, while not supported, authentication mode with a public key. And of course, be more attentive to the warnings about changing fingerprints.
UPDATE:
Public key authentication is not subject to attack and ensures a secure connection to the server.

Video demonstration of attack


The information is presented for informational purposes only. The author is not responsible for any possible harm caused by the materials of this article.

Source: https://habr.com/ru/post/176693/


All Articles