<a href="http://www.snailbook.com/protocols.html">http://www.signedness.org/tools/</a>
MITM against an SSH connection authenticated using public-key method (this feature is in TODO list of the above mentioned tool though). Being pressed to produce a PoC for this attack, I have attempted to implement it only to discover it is quite impossible
and here is why.
During SSH connection setup the peers use Diffie-Hellman to generate encryption keys and a session ID. We assume that MITM attacker has already managed to circumvent the server host key validation and tricked the peers into establishing the connection. Effectively,
there are two connections: first between the client and the attacker, and second between the attacker and the server. In case of password authentication the game is over: the attacker can see the password sent by the client, relay it to the server, and basically
do whatever he or she wants.
Now the attacker has a problem, as the client and the server have different ideas about what session identifier is supposed to be. Obviously, the server will reject the signature supplied by the client and public-key authentication will fail.
itself does not protect against active MITM attack, but it makes it impossible for MITM attacker to influence the choice of the shared key (and by extension the session ID) by the victims.
So public-key authentication has somewhat unexpected side effect of preventing MITM. Nice to know.
Bookmark/Search this post with
![vulnhub DC-4靶機實戰0X01 環境部署[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)