Posts Tagged ‘ssh’

Automating Man-in-the-Middle SSHv2 attacks

November 12, 2014 3 comments

Recently during an internal penetration test, I was performing ARP spoofing and i discovered a SSH connection from the administrator computer to another box.

That sounds like the correct way to access remote hosts securely. However, the problem was that the company was using a network switch that was vulnerable to ARP spoofing.

I came across the below article about performing ARP spoofing and MITM SSH connections to steal credentials.

When performing arp spoofing and performing a mitm attack on SSH, the victim does get an alert message saying that there is a key mismatch but most people just ignore them anyway.

Below is the link to the original article.

In the article, the author demonstrates the use of a software called JMITM2 ( which is sort of like a honey pot that proxies SSH connections between the victim and the target SSH server.

However, there are a number of steps to be done manually to execute this attack during an internal penetration test.

1. Check if network is vulnerable to ARP spoofing
2. Check if there are any active SSH connections in the network
2. Identify the victim computer and SSH server
3. Modify the configuration files of JMITM2
4. Modifying iptables
5. ARP spoofing
6. Checking JMITM2 console for credentials
7. Re-arp the router and victim host with the correct MAC addresses of each.

It would save a great amount of time to automate these steps. I wrote a script that does just that.

Running the command below checks the network for active SSH connections (via ARP spoofing) and then automates the whole attack to outputs any credentials captured to the console.

python2.7 -analyze

If you know the victim host IP and SSH server, you can use the below command

python2.7 -host victims -ssh sshServerIP

This script has only been tested on Kali Linux.

There are a couple of things that are still in the works to improve the script.
1. Switching from intercepter-ng for ARP spoofing to scapy.

The script can be grabbed from the below link

Categories: Uncategorized Tags: , ,

Medusa ‘combo’ word lists (default usernames and passwords) for SSH and Telnet services

August 16, 2014 Leave a comment is a useful resource that contains the default credentials for various devices.

I wrote a script that crawls, parses and extracts the credentials from and outputs them into the “combo” format as required by medusa. Medusa is a brute force tool for numerous services like MySQL, SMB, SSH, Telnet and etc.

Currently, only ssh and telnet related credentials are extracted from

You can download the “combo” word lists for ssh and telnet via the direct links below.

SSH combo list for Medusa

Telnet combo list for Medusa

Combined users.txt and passwords.txt that you can use with Patator ( which is another awesome brute force tool.

Sample command for medusa “combo” SSH attack.
medusa -M ssh -C wordList_ssh.txt -H port22.txt

If you would like to play around with the python script, you can download the file at the below location.


Patator is another awesome tool that you can use for brute forcing SSH logins

Sample command for patator SSH attack ssh_login host= user=FILE0 password=FILE1 0=users.txt 1=passwords.txt -x ignore:mesg=’Authentication failed.’


Special shoutout to for maintaining and providing the extensive database of default credentials at


Get every new post delivered to your Inbox.