SSH MITM v1.0 Released!

A few months ago on an internal pentest, I wanted to do an MITM attack on SSH tunnels to capture credentials. Besides the out-dated SSHv1 downgrade trick, the only thing I could find was the JMITM2 tool. But not only was it last updated in 2004, I couldn’t get it to work either.

So I sat down and wrote a patch for OpenSSH v7.5p1 (the latest version) to make it do what I want. Now with a little ARP spoofing, you can capture their plaintext password and log a victim’s entire session! Of course, their SSH client will complain that the server key has changed, but guess what many/most people do in that situation? The overwhelming majority of the time, that warning is caused by an OS re-install or re-configuration, so people tend to ignore it. Big mistake.

I’m pretty surprised that no other modern tool exists to do this, but since being announced on Reddit, its got a lot of interest from the community. Its now available on GitHub: