Thursday, September 1, 2011

SSH Session Hacking

SSH session can be hacked using MiTM(Man in The Middle) attack. This attack is known as ssh downgrade attack. Let us understand it. Suppose you are accessing machine C from machine A using ssh


A-------------------------------->C

Now suppose there is a machine B which come in middle and alter request that coming from A and forward it to C and vice versa.

A------(ssh request)--->B----------------->C

Now A send ssh request to C. C replies that it support Version1 and Version 2 of SSH protocol.

A--------------->-----------------C

A-----<-----(C only support V1) B-----<------C(support v1 and v2 of ssh)

But B alter packet and pass to A that C only support versio1 of SSH.

A-------->(ssh1)-----------B(sniff packet)------>------C

Since version1 of ssh is insecure by sniffing packets you can get login and password details passed in ssh. This attack is know as ssh downgrade attack, a MiTM implementation. You can try this using ettercap(http://ettercap.sourceforge.net/).