SSH-MITM - ssh audits made simple

_images/intro.png

SSH-MITM is an open-source man-in-the-middle SSH server for security audits and malware analysis. It intercepts SSH sessions in real time — supporting password and public-key authentication, session hijacking, file transfer interception, and port forwarding — through a flexible plugin system.

Legal Notice

SSH-MITM is intended for authorized security audits, penetration testing, and research only. Do not use it against systems you do not own or have explicit written permission to test. Unauthorized interception of SSH traffic may be illegal in your jurisdiction. See the Legal Notice for details.

Features

Session Hijacking

Mirror live SSH sessions and interact with them in real time. Commands executed in either session appear in both.

Intercept terminal sessions
File Interception

Intercept, store, or replace files during SCP and SFTP transfers without interrupting the client.

File transfers (SCP/SFTP)
Port Forwarding

Intercept TCP tunnels and dynamic port forwarding with full SOCKS 4/5 support.

Port Forwarding
Authentication

Supports password and public-key authentication with automatic fallback. Redirect sessions without a forwarded agent to a honeypot.

Authentication
FIDO2 Token Phishing

Intercept hardware token authentication via the trivial authentication attack (CVE-2021-36367, CVE-2021-36368).

Trivial Authentication
Plugin Browser

Explore all available plugins and their configuration options interactively in the terminal — without editing any files.

Plugin Browser

Quick Start

Placed between a client and its SSH server, SSH-MITM intercepts the connection transparently — forwarding it to the target while giving the auditor full visibility and control:

SSH-MITM setup diagram

1. Install

No installation required. Download the AppImage and you are ready to go:

$ wget https://github.com/ssh-mitm/ssh-mitm/releases/latest/download/ssh-mitm-x86_64.AppImage
$ chmod +x ssh-mitm-x86_64.AppImage

For other installation options (pip, Flatpak, Snap) see the installation guide.

2. Start SSH-MITM

Point SSH-MITM at your target host — use a system you are authorized to test:

$ ./ssh-mitm-x86_64.AppImage server --remote-host <target-host>

3. Route a client connection

Have the SSH client connect through SSH-MITM on port 10022:

$ ssh -p 10022 user@mitm-host

SSH-MITM intercepts the session and logs the credentials immediately:

INFO     Remote authentication succeeded
    Remote Address: <target-host>:22
    Username: user
    Password: secret
    Agent: no agent
SSH-MITM intercepting credentials

4. Attach to the live session

For every intercepted connection, SSH-MITM opens a mirror shell on a local port:

INFO     ℹ created mirrorshell on port 34463. connect with: ssh -p 34463 127.0.0.1

Connect to it from a separate terminal:

$ ssh -p 34463 127.0.0.1

The mirror shell reflects the session in real time. The auditor can observe the user’s activity and inject commands independently, without affecting the original connection.