Professional Documents
Culture Documents
Lab10 SSH
Lab10 SSH
Lab – SSH
Part 1
This part figures out how to use wireshark to view the Application Layer (Layer 7) traffic between your
targets. Please make one machine as a telnet server and login to it from the client machine, sniffing the
traffic with wireshark on the ettercap attacker. Find the user name and password.
Now have the client login using ssh. Can you find the username and password now?
Show the telnet username and password in the wireshark pcap, and show the equivalent pcap for the ssh
login.
Check Point 1:
CP1a: telnet username and password in pcap:
Part 2
Resource1: SSH downgrade attack using a pre-defined filter
Common error in this part of the lab: Protocol major versions differ: 1 vs. 2
Obviously, it is dangerous to use clear text authentication over the network. Because of this, telnet is
being replaced by ssh as a remote login service. As you should know, ssh encrypts traffic over the
network. However, some ssh servers are vulnerable to man-in-the-middle attacks if they support the ssh-
1 protocol, which has been broken. When clients and servers attempt to use encryption, they perform a
negotiation to see which encryption protocols they should use, because they may not have the same
updates. Ettercap tries to convince the server to use ssh-1, which it will do if ssh-1 is enabled. We will try
that next.
Perform a MITM attack between the server we are logging in to and our client machine.
Login to the ssh server with your client, capturing the output. Take a look and ensure that it is indeed
encrypted. Try to figure out where in the transaction the negotiation for encryption method occurs.
Ettercap has a predefined configuration file for creating a filter for the SSH downgrade attack:
/usr/share/ettercap/etter.filter.ssh
On the command line, cd into the directory in which this file resides. Compile the file to create the filter
with the following command:
#etterfilter etter.filter.ssh -o etter_filter_ssh_co
Refer to the APPENDIX A and the website www.openmaniak.com for the following topics:
what is ettercap?
ARP poisoning
Man in the Middle (MITM) attack
statistics
countermeasures
etter_filter_ssh_co
Use putty to log in to the ssh server from a windows machine, using this configuration.
Look at the message window in ettercap. Behold the user name and password. Take a look at the
wireshark pcap. Find out where ettercap downgraded the encryption.
Please show the ssh username and password in ettercap message window, and the ssh downgrade
portion of your pcap.
Check Point 2:
CP2a: username and password in ettercap message window:
APPENDIX A
NOTE: If you cannot generate ARP traffic to view in Wireshark because the ARP cache is complete, you
have a couple of options:
1. You can use arp-scan, a tool for generating and manipulating ARP traffic.
syntax: arp-scan --interface=eth0 target-machine
2. You can clear the ARP cache of your Kali machine and then create traffic between Kali and other
hosts on the LAN.
syntax: ip -s -s neigh flush all
#ettercap -G
Choose sniff mode, selecting the correct interface when offered a choice:
Next we want to do a scan to find out which hosts are on our LAN:
Next we will perform ARP poisoning. If you do not choose targets, the default is to poison all the ARP
caches on the LAN. This is overkill, easier to trace, and will cause performance degradation if there are
more than a few hosts on the LAN. So we don't want to do it. Choose two targets, by selecting each and
clicking on an "Add to Target" button . Go to the menu and check that the targets are correct.