SSH MitM Downgrade

Performing an SSH Man-in-the-Middle downgrade attack (Tutorial)
By Click Death Squad (C.D.S.)
Revision 1.0

A classic Man-in-the-Middle attack is the SSH downgrade scam. This attack works by tricking a SSH server and client into negotiating a lower encryption protocol (SSH1) instead of SSH2. Because SSH1 is notably weak and should not be used, most clients will request using the SSH2 protocol by default and negotiate a connection with the server. Using ARP poisoning and advising a client computer (on behalf of the SSH server) that we only accept SSH1, a connection using insecure credentials will be established. Very simple tools can accomplish this task, and in the example we used a 3 computer setup on a LAN. Our SSH server is running FreeBSD, the client computer is running Windows and using PuTTY to connect. The third computer is an Ubuntu box with ettercap installed, acting as our hijacker. We will trick the two computers into negotiating a weak encryption scheme and then capture the password as it is transmitted across the network using the insecure SSH1 protocol. Take note that most SSH servers do not accept the SSH1 protocol by default, but some do. The FreeBSD SSH server in our example does not have this enabled by default, so we will show how it can be enabled for the purpose of testing this attack method.

In this example, we used 3 different computers, and all the commands issued are given in quotes, with the result of the commands being listed in grey. After each step, a screenshot is given so you may compare your output to what should be happening. Please note that not all the screenshots contain the exact same data which is given in the example, they are merely for reference purposes. The following diagram below is an illustration of how this attack method works.

Tools you will need to accomplish this task:
  • An SSH server that you have administrative rights to
  • A Linux computer with ettercap installed
  • A client computer that can connect to the SSH server and get hijacked
  • Intermediate to advanced Linux/UNIX networking skills
  • A cold beer

Step 1: Enable SSH1 protocol on the SSH server you are running.
Mentioned previously, our SSH server in this example is a FreeBSD machine. It does not support the SSH1 protocol by default, so we need to log into the SSH server and modify the configuration. Using your favorite (nano) text editor, edit the "/etc/ssh/sshd_config" file and specify that your server is willing to accept both 1 and 2 protocols. You will also need to specify where the key should be stored once we generate it.

"nano /etc/ssh/sshd_config" ### edit the configuration file and specify the options.

After you modified the configuration, be sure to save it.

Step 2: Generate an SSH1 key and restart the SSH daemon to make the changes take effect.
Once you have modified the configuration for the SSH server, you should generate a new SSH1 protocol key. After generating the key, you will need to restart the SSH daemon to have the changes immediately take effect. First generate the new key, then restart the SSH server daemon.

"ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N testpassword" ### where "-t" specifies RSA1 (SSH1 only), "-f" specifies the configuration file and -"N" specifies the passphrase for the key.

"/etc/rc.d/sshd restart" ### restarts the SSH daemon on FreeBSD. (If your SSH server is Linux, the command is "/etc/init.d/sshd restart")

Step 3: Compile the ettercap SSH filter and prepare for the attack.
Ettercap comes with various filters that can accomplish tasks, such as faking an SSH server version string. There are many of these filters that come preinstalled with ettercap, but you will need to compile the filter before you actually use it for this attack method. Compiling filter rules is easy. Find the directory (usually /usr/share/ettercap/) where the filters are stored, and compile the SSH server version filter so we can use it.

"cd /usr/share/ettercap" ### change directory to the location of the filters.
"etterfilter etter.filter.ssh" ### compile the SSH server string filter and put the compiled output in 'filter.ef' for the attack.

Compiling the SSH server string filter correctly should indicate that it wrote the output to filter.ef and encoded all the instructions.

Step 4: Use ettercap to start scanning for your targets, begin ARP poisioning and fake out the client.
Ettercap has 3 possible modes of operation: text mode, ncurses and the GTK interface. For simplicity, we will be using the GTK interface. Use your Linux computer with ettercap to prepare for the attack. You will need to start ettercap using the GTK frontend, scan for the targets and then being ARP poisoning. Launch ettercap, go to the Sniff menu and select "Unified sniffing" then specify the interface that will be used to execute the attack.

"ettercap -G"

Once your interface has been selected, you need to load the filter file that we compiled earlier so that the SSH downgrade attack can be executed. Load the filter by going to the "Filters" menu and selecting the "filter.ef" file that was compiled earlier.

The filter has been loaded, and you need to scan the network for targets that will be used to complete the attack. Go to the "Hosts" menu and select "Scan for hosts" to collect a list of computers that will be used.

Your attacking machine now has the SSH server string plugin loaded and a collected list of hosts that are being targeted. All the steps are set in place to capture login credentials except the ARP poisoning. Go to the "Mitm" menu and select "ARP poisoning" which will begin sending out forged ARP requests, allowing you to capture data intended for all hosts on the LAN. The filter that was loaded tells the victim client that the SSH server is not capable of negotiating the SSH2 protocol. Ettercap has scanned all the hosts on the LAN and is actively poisoning the ARP cache, which allows us to intercept and modify instructions sent between the victim SSH server and the client. Start ARP poisoning by going to the "Mitm" menu and enabling "ARP poisoning" to prepare for the capture.

Step 5: Go to your Windows box and use PuTTY to login to the SSH server.
Your SSH server is accepting both SSH2 and SSH1 protocol connections. Your Linux box is running ettercap with a filter, ready to modify a SSH server string and is actively poisoning ARP on the network. Use your Windows computer to load up PuTTY and login to the SSH server.

You can see that by default, PuTTY will request SSH2, but is willing to accept SSH1 and downgrade if the server doesn't support the SSH2 protocol. Connect to the SSH server while your Linux box is prepared for the attack.

Step 6: Hijack the SSH1 login information.
Once your Windows box with PuTTY connects to the SSH server, your Linux machine will detect the SSH server string and modify it because you are poisoning the network with fake ARP requests. The connection will be initiated using the SSH1 protocol, which is insecure. Ettercap will detect the SSH1 login information and display it in the window. The attack was successful and you have hijacked the credentials! By intercepting the data passed between the SSH server and the victim, you have forced them to negotiate a weaker protocol. It is game over, and you managed to force a downgrade.

There are a number of steps you can take to prevent this type of attack from occuring on your SSH server. Most prominently, you should make sure that your SSH server configuration only supports the SSH2 protocol. ARP poisoning is a common attack, but can be detected by using a tool such as arpalert. As mentioned in the beginning of the tutorial, most SSH servers do not have SSH1 enabled by default, but some do. This attack is deadly because it does not necessarily require issuing a false certificate to the client that is connecting. By merely altering the SSH server version string, we can trick a client into negotiating a lower level of encryption on it's own accord. Make sure you always secure your servers and check your logfiles. Enjoy.