SSH-MITM - ssh audits made simple
SSH-MITM is an open-source man-in-the-middle SSH server for security audits and malware analysis. Placed on the network path between client and server, it intercepts SSH sessions in real time through a flexible plugin system.
Legal Notice
SSH-MITM is intended for authorized security audits, penetration testing, and research only. Do not use it against systems you do not own or have explicit written permission to test. Unauthorized interception of SSH traffic may be illegal in your jurisdiction. See the Legal Notice for details.
New to SSH-MITM? The interactive tutorial walks through five real interception scenarios — no target server needed. Up and running in under two minutes.
All interception techniques in depth — authentication, file transfers, port forwarding, NETCONF, PowerShell, and client auditing.
Features
SSH-MITM acts as a proxy between SSH client and server — it terminates both connections independently and forwards all traffic. This gives the auditor full visibility into the session without disrupting it.
Read passwords and public keys in cleartext as they pass through the proxy — clients without a forwarded agent can be redirected to a honeypot. → Authentication |
|
Mirror live SSH sessions and inject commands in real time — both the auditor and the original user see the session. → Session Hijacking |
|
Intercept or silently replace every file transferred via SCP or SFTP without interrupting the client. → File Transfers |
|
Intercept every TCP tunnel and SOCKS connection routed through the proxy. → Port Forwarding |
|
Bypass hardware token authentication without touching the token — using the trivial authentication attack (CVE-2021-36367, CVE-2021-36368). → FIDO2 Token Phishing |
|
Identify SSH client software and known CVEs from key negotiation behavior alone — no active probing required. → Client Auditing |
|
Full visibility into PowerShell Remoting (PSRP) and NETCONF management sessions. → Protocols |
Security Research
SSH-MITM was originally developed as a research tool — not just a proxy. The Man-in-the-Middle position makes it possible to observe SSH client behavior that is invisible from either endpoint: how clients negotiate algorithms, which authentication methods they accept, and how they respond to unexpected server behavior.
This research approach led to the discovery of 6 previously unknown vulnerabilities in widely-deployed SSH software — including PuTTY, OpenSSH, Dropbear, Midnight Commander, and MobaXterm. Each was reported to the vendor and assigned a CVE number.
CVE-2021-36367 CVE-2021-36368 CVE-2021-36369 CVE-2021-36370 CVE-2022-38336 CVE-2022-38337
The initial findings — the trivial authentication attack and how FIDO2 hardware tokens can be phished through a positioned proxy — were presented at DeepSec 2021:
