Audit Guide
This guide walks through SSH-MITM’s interception techniques from first principles to advanced protocol-level attacks. Each section starts with a ready-to-run command and builds toward the technical depth needed for a thorough security audit.
Understand how SSH-MITM is placed between client and server — direct connection, ARP spoofing, DNS hijacking, rogue access point, or transparent proxy at a gateway.
Intercept passwords and public keys. Accept the same key as the target server, use the forwarded agent for full access, or redirect keyless clients to a honeypot.
Authentication · SSH Agent · Trivial Authentication · publickey-hostbound Authentication
Mirror live SSH sessions, inject commands via mirrorshell, capture or replace files during SCP and SFTP transfers, and intercept port forwarding tunnels to reach internal services.
Intercept terminal sessions · File transfers (SCP/SFTP) · Port Forwarding
Intercept tools and protocols that use SSH as a transport — Git and rsync over SSH, PowerShell Remoting, NETCONF, and Mosh.
Git over SSH · rsync over SSH · Intercept PowerShell Remoting (PSRP) · NETCONF (RFC 6242) · Intercept MOSH sessions
Identify SSH client software and version from key negotiation behavior. Match observed patterns against known CVEs automatically.
Plugin browser, full configuration reference, transparent proxy mode, FAQ, and legal notice.