SSH-MITM issues

[goh26]

Hello, I am trying to set up a transparent SSH-MITM with ARP spoofing on a lab. The MITM receives requests from the client to the server but seems to create a large number of sessions, eventually crashing, which prevents me from completing my SSH connection with the server. The return message is "Permission denied (publickey)", even though I'm using password authentication.
Here are some of the messages on the proxy console :
ERROR Authentication timeout.
INFO ℹ client information:
- client version: ssh-2.0-paramiko_3.4.0
- product name: Paramiko
- vendor url: https://www.paramiko.org/
- client address: ip=::ffff:192.168.1.20 port=45528
⚠ detected vulnerabilities by active tests:
CVE-2020-14145 - Fingerprint information leak
* client uses same server_host_key_algorithms list for unknown and known hosts
* Preferred server host key algorithm: ssh-ed25519
CVE-2023-48795 - Terrapin-Attack
* ChaCha20-Poly1305 support: False
* CBC-EtM support: True
* Strict key exchange support: True
* Mitigation status: mitigated
INFO ℹ session 44f1f5c7-59ea-464e-9c7c-ef5a9915833c created
ERROR Authentication timeout.
INFO ℹ client information:
- client version: ssh-2.0-paramiko_3.4.0
- product name: Paramiko
- vendor url: https://www.paramiko.org/
- client address: ip=::ffff:192.168.1.20 port=45542
⚠ detected vulnerabilities by active tests:
CVE-2020-14145 - Fingerprint information leak
* client uses same server_host_key_algorithms list for unknown and known hosts
* Preferred server host key algorithm: ssh-ed25519
CVE-2023-48795 - Terrapin-Attack
* ChaCha20-Poly1305 support: False
* CBC-EtM support: True
* Strict key exchange support: True
* Mitigation status: mitigated
INFO ℹ session a9fd184f-4034-4b2d-9c29-312b682eceb9 created
ERROR Authentication timeout.
INFO ℹ client information:
- client version: ssh-2.0-paramiko_3.4.0
- product name: Paramiko
- vendor url: https://www.paramiko.org/
- client address: ip=::ffff:192.168.1.20 port=45548
⚠ detected vulnerabilities by active tests:
CVE-2020-14145 - Fingerprint information leak
* client uses same server_host_key_algorithms list for unknown and known hosts
* Preferred server host key algorithm: ssh-ed25519
CVE-2023-48795 - Terrapin-Attack
* ChaCha20-Poly1305 support: False
* CBC-EtM support: True
* Strict key exchange support: True
* Mitigation status: mitigated
ERROR Authentication timeout.
INFO ℹ session 04c0cd04-c21a-430e-830e-708778422438 created
INFO ℹ client information:
- client version: ssh-2.0-paramiko_3.4.0
- product name: Paramiko
- vendor url: https://www.paramiko.org/
- client address: ip=::ffff:192.168.1.20 port=45560
⚠ detected vulnerabilities by active tests:
CVE-2020-14145 - Fingerprint information leak
* client uses same server_host_key_algorithms list for unknown and known hosts
* Preferred server host key algorithm: ssh-ed25519
CVE-2023-48795 - Terrapin-Attack
* ChaCha20-Poly1305 support: False
* CBC-EtM support: True
* Strict key exchange support: True
* Mitigation status: mitigated
INFO ℹ session eb7f679a-48d5-4376-b4b1-0a87dfd03ad7 created
ERROR Authentication timeout.
INFO ℹ client information:
- client version: ssh-2.0-paramiko_3.4.0
- product name: Paramiko
- vendor url: https://www.paramiko.org/
- client address: ip=::ffff:192.168.1.20 port=45562
⚠ detected vulnerabilities by active tests:
CVE-2020-14145 - Fingerprint information leak
* client uses same server_host_key_algorithms list for unknown and known hosts
* Preferred server host key algorithm: ssh-ed25519
CVE-2023-48795 - Terrapin-Attack
* ChaCha20-Poly1305 support: False
* CBC-EtM support: True
* Strict key exchange support: True
* Mitigation status: mitigated
ERROR Authentication timeout.
ERROR Error creating socket!
╭──────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /tmp/.mount_ssh-miaWhXug/python/lib/python3.11/site-packages/sshmitm/server/init.py:317 in │
│ start │
│ │
│ /tmp/.mount_ssh-miaWhXug/python/lib/python3.11/socket.py:294 in accept │
╰───────────────────────────────────────────────────────────────────────────────────────────────────╯
OSError: [Errno 24] Too many open files
INFO ❗ Shutting down server ...

Thanks by advance !

[goh26]

UPDATE : I think there is a bug in transparent mode, since in classic server mode with the --remote-host argument and the IP of an SSH server, it works. However, I would like to intercept all SSH connections initiated within my lab, regardless of the server and the client. Thanks in advance!

[manfred-kaiser]

Transparent Mode Configuration

To use SSH-MITM in transparent mode, additional configuration is required. The exact settings depend on the specific scenario.

We recommend starting with the scenario described in the official documentation:
SSH-MITM Transparent Mode Guide

This setup has been thoroughly tested and serves as a solid foundation for further experimentation.

Issue with ARP Spoofing and Connection Loops

When using ARP spoofing, additional adjustments are necessary to prevent network issues.

In your setup, you are performing ARP spoofing on the SSH server, allowing SSH-MITM to intercept the connection. However, SSH-MITM also needs to establish a new connection to the same server. Because ARP spoofing redirects all traffic to SSH-MITM, the new connection attempt is also intercepted by SSH-MITM instead of reaching the intended SSH server.

How the Loop Occurs

1. SSH-MITM intercepts the client's SSH request and attempts to forward it.
2. The new connection is redirected back to SSH-MITM due to ARP spoofing.
3. SSH-MITM tries again, but the connection keeps looping back.
4. This results in repeated errors and failed connections, as described in your first post.

Preventing the Loop

To avoid this issue, you need to ensure that SSH-MITM can establish a direct connection to the real SSH server without being intercepted by ARP spoofing.

[manfred-kaiser]

Using the ip Command to Prevent ARP Spoofing Issues

To prevent ARP spoofing from affecting critical devices, a static ARP entry can be added using the ip command. This ensures that the system maintains the correct mapping between an IP address and a hardware address (MAC address), preventing unwanted changes.

Adding a Static ARP Entry with ip

In modern Linux distributions, the ip command replaces the older arp command for managing neighbor entries. The following command adds a permanent ARP entry:

ip neighbor add <TARGET_IP_ADDRESS> lladdr <MAC_ADDRESS> nud permanent dev <NETWORK_INTERFACE>

Example:

ip neighbor add 192.168.1.100 lladdr 00:1A:2B:3C:4D:5E nud permanent dev eth0

• <TARGET_IP_ADDRESS>: The IP address of the target device.
• <MAC_ADDRESS>: The hardware address of the target device.
• <NETWORK_INTERFACE>: The name of the network interface (e.g., eth0).
• nud permanent: Marks the entry as static and prevents automatic updates.

Verifying and Managing ARP Entries

To check the current ARP table:

ip neighbor show

To delete a static ARP entry:

ip neighbor del 192.168.1.100 dev eth0