Skip to content. | Skip to navigation

Personal tools


You are here: Home / Wiki / Mitm


Setting up dom0

The SSH man in the middle(MITM) works by sitting as a Java process on the Host Machine. Currently, I'm testing with the XEN3-UPDATE image as host and XEN-GUEST-F8-STD image as guests. There's no reason why it shouldn't work on other hosts.

Setting up dom0

To run successfully, we need Java 6 or 7, and iptables (libnetfilter) on the host. Also, the assumption is that the guests are behind the host behind some sort of NAT.

sudo yum install libnfnetlink-devel.i386 libnetfilter_queue-devel.i386 ebtables java-1.7.0-icedtea.i586

Running it

Assuming you have a java jar and the config files in the right places, you need to run:

java -jar mitm.jar -start
java -jar mitm.jar -add <name> <demux-type> <demux-args>
java -jar mitm.jar -add node0 port //node0 is some name, port is the demux name and the last part is the target ssh server to mitm

java -jar mitm.jar -remove <name>
java -jar mitm.jar -remove node0
java -jar mitm.jar -stop //Stops all servers and kills the daemon

java -jar mitm.jar -list //Will list all running servers by name

<name> refers to some user specified name.

<demux-type> can be 'port' or 'user'. This specifies how the MITM decides which target to connect to. 'port' means that the MITM will always connect to some single machine. 'user' means that the connecting user needs to specify the target machine with the format <username>:<target-hostname>:<target-port>@<mitm-server> and connect to the correct port that MITM is running on. 'user' demux doesn't do any iptables redirection.

'port' <demux-args> = <target-hostname>:<target-port>

'user' <demux-args> = "" //No arguments expected

The iptables stuff

The stuff that affects the network is all in the iptables. So this is how it works. All the main rules go into the mitm_redir and mitm_spoof chains in the nat table. You can look at this by iptables -t nat -L. Two rules go into the PREROUTING and POSTROUTING chains that push all TCP packets through the mitm chains.

When a MITM server is started with the -add, we set up the mitm_redir chain in such a way that all packets going to target_machine and port 22(or whichever the ssh port is), get redirected to the mitm server running on that machine instead.

To clean up the iptables stuff, you just need to run iptables -t nat -F mitm_redir, which will flush all the redirection rules. (The spoofing rules aren't that important to flush)

Connecting through

If you want to connect using a public key, then it's essential to have an ssh-agent running on the user system.

ssh-agent bash <or> ssh-agent + run the stuff that get's printed out <or> some variation
ssd-add ~/.ssh/id_rsa
ssh -A