Recently during an internal penetration test, I was performing ARP spoofing and i discovered a SSH connection from the administrator computer to another box.
That sounds like the correct way to access remote hosts securely. However, the problem was that the company was using a network switch that was vulnerable to ARP spoofing.
I came across the below article about performing ARP spoofing and MITM SSH connections to steal credentials.
When performing arp spoofing and performing a mitm attack on SSH, the victim does get an alert message saying that there is a key mismatch but most people just ignore them anyway.
Below is the link to the original article.
In the article, the author demonstrates the use of a software called JMITM2 (http://www.david-guembel.de/index.php?id=6) which is sort of like a honey pot that proxies SSH connections between the victim and the target SSH server.
However, there are a number of steps to be done manually to execute this attack during an internal penetration test.
1. Check if network is vulnerable to ARP spoofing
2. Check if there are any active SSH connections in the network
2. Identify the victim computer and SSH server
3. Modify the configuration files of JMITM2
4. Modifying iptables
5. ARP spoofing
6. Checking JMITM2 console for credentials
7. Re-arp the router and victim host with the correct MAC addresses of each.
It would save a great amount of time to automate these steps. I wrote a script that does just that.
Running the command below checks the network for active SSH connections (via ARP spoofing) and then automates the whole attack to outputs any credentials captured to the console.
python2.7 mitmSSH.py -analyze
If you know the victim host IP and SSH server, you can use the below command
python2.7 mitmSSH.py -host victims -ssh sshServerIP
There are a couple of things that are still in the works to improve the script.
1. Switching from intercepter-ng for ARP spoofing to scapy.
The script can be grabbed from the below link
Wrote this script “Command Line IMAP/POP3 Email Downloader” some time ago.
Found it during spring cleaning.
Download the script here
The prefetch tool has been updated. Spend the Sunday making the changes. I hope you guys like it.
1. prefetch.exe executable has been reduced from 3.8mb to 2.2mb. Any size smaller than this, I will have to rewrite the code in c++.
2. Prefetch tool is much faster now due to some logic issues in the previous script.
3. Meterpreter script updated to download new prefetch.exe from my googlecode project’s site on demand when new updates are available.
The googlecode project site is available at http://code.google.com/p/prefetch-tool/
If you have any ideas or suggestions, hit me.
Check out the new issue of Hakin9
* Windows Timeline Analysis
* Analyzing Malware Introduction to Advanced Topics…
* Hacking ASLR & Stack Canaries on Modern Linux…
* Mashup Security…
* My ERP Got Hacked – An Introduction to Computer Forensics, Part II…
* First Password Shooters…
* RSA & AES in JAVA…
* AV Scanner 101…
* The Underworld of CVV Dumping…
* It’s All About Reputation…
* Interview with Andrey Belenko…
* DefenseWall Pure Policy-Based Sandbox Application…
* Interview with Alexandre Dulaunoy & Fred Arbogast…
And more ….
I like the article on Windows Timeline Analysis. Even if you are not a forensic investigator, you will definitely learn something useful from this. (: