Why are SSH MITM tools able to read and modify data?



  • At my university, we are learning how to use SSH for server administration.

    We learned that SSH is secure, but there are some tools that allow man-in-the-middle attacks on SSH.

    How can such tools intercept SSH when it is encrypted? I have tried Wireshark but was not able to read the data. Wireshark is only able to read the plain text parts of the SSH protocols.

    How does a man-in-the-middle attack on SSH work?

    The mitm tool (https://github.com/ssh-mitm/ssh-mitm) allows a second shell to connect to the same SSH session. I have tried it and was able to work in both shells.

    Are both sessions the same, or how else can this work? I thought that the encryption should protect me from such an attack.

    Reading the docs (https://docs.ssh-mitm.at) does not provide more info on how such an attack works. The docs only explain how to use the tool.

    This is the reason why I'm asking the question.

    • Can anyone explain in depth how such an attack works?
    • How is it possible that the same SSH session can be used from 2 different clients?


  • The basic point of a MITM attack against SSH or SSL/TLS is that the connection is no longer end-to-end encrypted, i.e. from client to server. Instead there is an encrypted connection between client and attacker and a different encrypted connection between attacker and server. Since encryption is terminated by the attacker this way, the attacker has access to the full decrypted traffic:

    Secure: [Client]  <---------- End-to-End Encrypted ----------------> [Server]
    MITM:   [Client]  <-- Encrypted#1 --> [Attacker] <-- Encrypted#2 --> [Server]
    

    Note that this only works if the client does not check the cryptographic identity of the server (server key) and the server does not check the cryptographic identity of the client (client key, which is optional). If any of these are checked an MITM attack is impossible since the attacker cannot impersonate the server or client without having access to their secret key.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2