search

jtesta / ssh-mitm

SSH man-in-the-middle tool
Other
1.61k stars 196 forks source link

Trying to intercept the SSH connection to AWS EC2 instance #26

Closed vk-gst closed 4 years ago

vk-gst commented 4 years ago

I am a beginner to penetration testing and was wondering if I can use this method that you described to intercept an AWS EC2 instance ssh. I will be doing this in my own machine and a AWS EC2 server that I have full control on.

Would this be possible? and if yes, is it legal to do so? I do not want to run into some illegal law suites trying to do this on the Amazon AWS.

jtesta commented 4 years ago

Technically speaking, it is possible to use this to intercept credentials to EC2 servers, assuming the attacker and victim are on the same LAN.

Legally speaking, I'm not a lawyer in any jurisdiction. But I strongly suspect that it is legal to do in the U.S. as long as you have permission from the server owner. I don't know about any other jurisdictions in the world.

On 4/24/20 9:08 AM, Venkatesh Kuppan wrote:

I am a beginner to penetration testing and was wondering if I can use this method that you described to intercept an AWS EC2 instance ssh. I will be doing this in my own machine and a AWS EC2 server that I have full control on.

Would this be possible? and if yes, is it legal to do so? I do not want to run into some illegal law suites trying to do this on the Amazon AWS.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jtesta/ssh-mitm/issues/26, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWYA65Q7PI7OYQ2DKY6MJDROGFNDANCNFSM4MQCYANQ.

-- Joseph S. Testa II Founder & Principal Security Consultant Positron Security

vk-gst commented 4 years ago

"On the same LAN", that's something I did not understand. Imagine an attacker having an IP address of the server, but not the user name and the public/private key for SSH session. In that scenario, what would be the approach in using this tool?

jtesta commented 4 years ago

The typical use case of this tool is that the attacker is on the same LAN as the victim(s) so that ARP spoofing intercepts all their traffic. The tool then intercepts all new SSH connections to any destination (neither the destination nor username need to be known ahead of time).

As long as the attacker can intercept the entire connection from the victim, this attack is possible. ARP spoofing isn't the only way; its possible to run other routing attacks as well, though this is outside the scope of the project.

I'd recommend trying it out first on your own private LAN. The instructions on the project page will get you up and running very quickly.

On 4/24/20 11:26 AM, Venkatesh Kuppan wrote:

"On the same LAN", that's something I did not understand. Imagine an attacker having an IP address of the server, but not the user name and the public/private key for SSH session. In that scenario, what would be the approach in using this tool?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jtesta/ssh-mitm/issues/26#issuecomment-619079579, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWYA65X6X5V3OQIOHTZWKDROGVSVANCNFSM4MQCYANQ.

-- Joseph S. Testa II Founder & Principal Security Consultant Positron Security