SSH-MITM

SSH-MITM is a man in the middle SSH Server for security audits and malware analysis. Unlike other ssh servers, SSH-MITM is used to forward a ssh session to another server and log the complete session and file transfers.

Technology
SSH-MITM uses Python Paramiko as ssh library which implements version 2 of the Secure Shell (SSH) protocol.

Features
SSH-MITM is used to analyze ssh sessions during security audits and malware analysis. To intercept the session, SSH-MITM has to act as a man in the middle server and supports password and public key authentication.

If the ssh client uses password for authentication, the credentials can be reused to authenticate against the remote server. Intercepting public key authentication is possible, but has some limitations, which can be circumvented, if the clients forwards the ssh-agent. If the ssh-agent is forwarded to SSH-MITM, the agent can be used to authenticate against remote servers.

In cases, where the ssh client has knwoledge about the remote servers fingerprint, SSH-MITM is able to detect that the client will abort the connection with a man in the middle attack attempt. This is possible because some clients have an Information leakage, when connecting to a ssh server. If the client connects for the first time, a list of crypto algorithms are sent in a predefined order, but when the client has knowledge about the remotes fingerprint, the algorithms are sent in a different order .

After the client has connected to SSH-MITM, the terminal session is hijacked and it is possible to interact with the shell on the remote server. It is also possible to store or modify files during SCP and SFTP file transfers.

Security implications
SSH-MITM is a man in the middle tool and should only used for security audits or malware analysis.

Due to the fact, that known exploits for ssh clients are implemented and used to intercept the clients, SSH-MITM should be treated as a security risk and must not used as jump server.

Platforms
SSH-MITM is written in Python, which allows the server to run on different platforms like Linux, Microsoft Windows and MacOS X.

The main development platform is Linux, because the server supports the Tproxy kernel feature, which is used for transparent proxy support.

Licensing
SSH-MITM is open source, licensed under the LGPL-3.0