Configuration

[SSH-MITM]
[SSH-MITM]
debug = False
paramiko-log-level = warning
disable-workarounds = False
log-format = text
Options:

  • debug (boolean) – True False
    Enables SSH-MITM’s debug mode, providing more verbose output of status information and internal processes.

  • paramiko-log-level (string) – debug info warning
    Sets the log level for Paramiko, the underlying SSH library. Controls the verbosity of Paramiko’s logging output.

  • disable-workarounds (boolean) – True False
    Disables workarounds for compatibility issues with certain SSH clients. Some clients may require these workarounds to function correctly.

  • log-format (string) – text json
    Defines the format of the log output. Using json suppresses standard output and formats logs as JSON.

[SSH-Server-Modules]
[SSH-Server-Modules]
ssh-interface = mirrorshell
scp-interface = store_file
sftp-interface = base
sftp-handler = store_file
server-tunnel-interface = inject
client-tunnel-interface = socks
auth-interface = base
authenticator = passthrough
session-class = base
Options:

  • ssh-interface (string) – mirrorshell
    Specifies the interface responsible for managing SSH terminal sessions, including shell interaction and command execution.

  • scp-interface (string) – store_file
    Defines the interface used for handling SCP (Secure Copy Protocol) file transfers, including uploads and downloads.

  • sftp-interface (string) – base
    Sets the base interface for SFTP (SSH File Transfer Protocol) operations, such as file listing, uploads, and downloads.

  • sftp-handler (string) – store_file
    Specifies the handler for SFTP operations, responsible for processing file transfer requests and managing file system interactions.

  • server-tunnel-interface (string) – inject
    Configures the interface for managing server-side tunnel operations, such as remote port forwarding.

  • client-tunnel-interface (string) – socks
    Sets the interface for handling client-side tunnel operations, such as local port forwarding.

  • auth-interface (string) – base
    Defines the interface responsible for authentication processes, including credential validation and session initialization.

  • authenticator (string) – passthrough
    Specifies the authenticator module used for validating user credentials and managing authentication workflows.

  • session-class (string) – base
    Sets the custom session class for SSH-MITM, controlling session behavior, logging, and interaction handling.

[SSH-Server-Options]
[SSH-Server-Options]
listen-address = ::
listen-port = 10022
transparent = False
host-key =
host-key-algorithm = rsa
host-key-length = 2048
request-agent-breakin = False
banner-name =
log-webhook-dest =
Options:

  • listen-address (string) – ::
    Specifies the listen address for incoming connections (default: all interfaces).

  • listen-port (integer) – 10022
    Specifies the port on which SSH-MITM listens for incoming SSH connections.
    If a port ≤ 1024 is used, SSH-MITM must be started with root privileges.

  • transparent (boolean) – True False
    Enables transparent mode, which uses Linux TProxy for intercepting incoming connections.
    Transparent mode requires root privileges.

  • host-key (string) –
    Specifies the path to a custom private SSH key used as the host key.
    If no host key is provided, a random host key is generated automatically.

  • host-key-algorithm (string) – dss rsa ecdsa ed25519
    Defines the algorithm used to generate the random host key. The default is rsa.

  • host-key-length (integer) – 2048
    Sets the key length for the generated host key (applies to dss and rsa algorithms). The default is 2048.

  • request-agent-breakin (boolean) – True False
    Enables SSH-MITM to request the SSH agent from the client, even if the client does not forward the agent.
    This can be used to attempt unauthorized access to the client’s SSH agent.

  • banner-name (string) –
    Sets a custom SSH server banner presented to clients during the initial connection.
    If not specified, the default banner is SSH-2.0-SSHMITM_<version>.

  • log-webhook-dest (string) –
    Transmits SSH commands and responses to a remote HTTP server for log collection and analysis.
    Specify a URL, e.g. http://localhost:8080/log.

Session-Plugins

[sshmitm.session:Session]
[sshmitm.session:Session]
session-log-dir =
Options:

session-log-dir (string) –
Specifies the directory where session logs will be stored.

Authentication-Plugins

[sshmitm.authentication:AuthenticatorPassThrough]
[sshmitm.authentication:AuthenticatorPassThrough]
close-pubkey-enumerator-with-session = False
remote-host =
remote-port =
remote-fingerprints =
disable-remote-fingerprint-warning = False
auth-username =
auth-password =
auth-key =
auth-hide-credentials = False
enable-auth-fallback = False
fallback-host =
fallback-port = 22
fallback-username =
fallback-password =
Options:

  • close-pubkey-enumerator-with-session (boolean) – True False
    Closes the public key enumerator when the session is closed. Useful for hiding traces of enumeration activities.

  • remote-host (string) –
    Specifies the remote host to connect to for authentication. Default is 127.0.0.1.

  • remote-port (integer) –
    Specifies the remote port to connect to for authentication. Default is 22.

  • remote-fingerprints (string) –
    Comma-separated list of expected remote host fingerprints. If empty, fingerprint verification is disabled.

  • disable-remote-fingerprint-warning (boolean) – True False
    Disables the warning message if no remote fingerprints are provided.

  • auth-username (string) –
    Specifies the username for remote authentication.

  • auth-password (string) –
    Specifies the password for remote authentication.

  • auth-key (string) –
    Specifies the path to an SSH private key used for remote authentication.

  • auth-hide-credentials (boolean) – True False
    Prevents logging of credentials, which is useful for presentations or security-sensitive environments.

  • enable-auth-fallback (boolean) – True False
    Enables fallback to a honeypot if authentication is not possible.

  • fallback-host (string) –
    Specifies the host for the honeypot fallback. Required if enable-auth-fallback is set to True.

  • fallback-port (integer) –
    Specifies the port for the honeypot fallback. Default is 22.

  • fallback-username (string) –
    Specifies the username for the honeypot fallback. Required if enable-auth-fallback is set to True.

  • fallback-password (string) –
    Specifies the password for the honeypot fallback. Required if enable-auth-fallback is set to True.

[sshmitm.interfaces.server:ServerInterface]
[sshmitm.interfaces.server:ServerInterface]
disable-ssh = False
disable-scp = False
disable-password-auth = False
disable-pubkey-auth = False
accept-first-publickey = False
disallow-publickey-auth = False
enable-none-auth = False
enable-trivial-auth = False
enable-keyboard-interactive-auth = False
disable-keyboard-interactive-prompts = False
extra-auth-methods =
disable-auth-method-lookup = False
Options:

  • disable-ssh (boolean) – True False
    Disables SSH functionality, preventing SSH connections to the server.

  • disable-scp (boolean) – True False
    Disables SCP (Secure Copy Protocol) functionality, preventing file transfers via SCP.

  • disable-password-auth (boolean) – True False
    Disables password-based authentication, forcing clients to use alternative authentication methods.

  • disable-pubkey-auth (boolean) – True False
    Disables public key authentication. Note that this is not RFC-4252 compliant.

  • accept-first-publickey (boolean) – True False
    Accepts the first public key provided by the client without checking if the user is allowed to log in using public key authentication.

  • disallow-publickey-auth (boolean) – True False
    Disallows public key authentication but still verifies whether public key authentication would be possible.

  • enable-none-auth (boolean) – True False
    Enables “none” authentication, which allows connections without any authentication.

  • enable-trivial-auth (boolean) – True False
    Enables “trivial success authentication” phishing attack, which simulates a successful authentication without actual validation.

  • enable-keyboard-interactive-auth (boolean) – True False
    Enables “keyboard-interactive” authentication, allowing interactive authentication prompts.

  • disable-keyboard-interactive-prompts (boolean) – True False
    Disables prompts for keyboard-interactive authentication, preventing interactive authentication challenges.

  • extra-auth-methods (string) –
    Specifies additional authentication method names that are supported by the server.

  • disable-auth-method-lookup (boolean) – True False
    Disables the lookup of supported authentication methods on the remote server during the authentication process.

Terminal-Session-Plugins

[sshmitm.plugins.ssh.mirrorshell:SSHMirrorForwarder]
[sshmitm.plugins.ssh.mirrorshell:SSHMirrorForwarder]
ssh-mirrorshell-net = 127.0.0.1
ssh-mirrorshell-key =
store-ssh-session = False
ssh-terminal-log-formatter = script
Options:

  • ssh-mirrorshell-net (string) – 127.0.0.1
    Specifies the local address or network interface where SSH MirrorShell injector sessions are served.

  • ssh-mirrorshell-key (string) –
    Specifies the path to the SSH private key used for MirrorShell sessions. If not provided, a default key is used.

  • store-ssh-session (boolean) – True False
    Enables storing of SSH sessions in the scriptreplay format for later replay and analysis.

  • ssh-terminal-log-formatter (string) – script
    Defines the format for terminal logs of captured SSH sessions. Currently, only the script format is supported.

SCP-Plugins

[sshmitm.plugins.scp.inject_file:SCPInjectFile]
[sshmitm.plugins.scp.inject_file:SCPInjectFile]
scp-inject-file =
Options:

scp-inject-file (string) –
Specifies the path to the file that will be injected during SCP file transfers. This option is required.

[sshmitm.plugins.scp.replace_file:SCPReplaceFile]
[sshmitm.plugins.scp.replace_file:SCPReplaceFile]
scp-replace-file =
Options:

scp-replace-file (string) –
Specifies the path to the file that will be used for replacement during SCP file transfers. This option is required.

[sshmitm.plugins.scp.store_file:SCPStorageForwarder]
[sshmitm.plugins.scp.store_file:SCPStorageForwarder]
store-scp-files = False
store-command-data = False
Options:

  • store-scp-files (boolean) – True False
    Enables the storage of files transferred via SCP (Secure Copy Protocol).

  • store-command-data (boolean) – True False
    Enables the storage of data from non-interactive SSH commands.

[sshmitm.plugins.scp.rewrite_command:SCPRewriteCommand]
[sshmitm.plugins.scp.rewrite_command:SCPRewriteCommand]
scp-append-string =
scp-replace-string =
Options:

  • scp-append-string (string) –
    Specifies a string that will be appended to the existing SCP command during execution.

  • scp-replace-string (string) –
    Specifies a string that will replace the original SCP command during execution.

[sshmitm.plugins.scp.cve202229154:CVE202229154]
[sshmitm.plugins.scp.cve202229154:CVE202229154]
rsync-inject-file =
Options:

rsync-inject-file (string) –
Specifies the path to the file that will be injected into the rsync command sent to the server. This option is required.

SFTP-Handler-Plugins

[sshmitm.plugins.sftp.store_file:SFTPHandlerStoragePlugin]
[sshmitm.plugins.sftp.store_file:SFTPHandlerStoragePlugin]
store-sftp-files = False
Options:

store-sftp-files (boolean) – True False
Enables the storage of files transferred via SFTP (SSH File Transfer Protocol).

[sshmitm.plugins.sftp.replace_file:SFTPProxyReplaceHandler]
[sshmitm.plugins.sftp.replace_file:SFTPProxyReplaceHandler]
sftp-replace-file =
Options:

sftp-replace-file (string) –
Specifies the path to the file that will be used for replacement during SFTP file transfers. This option is required.

[sshmitm.plugins.sftp.check_file:SFTPHandlerCheckFilePlugin]
[sshmitm.plugins.sftp.check_file:SFTPHandlerCheckFilePlugin]
clamav-socket = /tmp/clamd.sock
Options:

clamav-socket (string) – /tmp/clamd.sock
Specifies the path to the ClamAV Unix domain socket used to scan transferred files via INSTREAM.
Requires a running ClamAV daemon (clamd) with the socket accessible at the given path.

Port-Forwarding-Plugins

[sshmitm.plugins.tunnel.injectservertunnel:InjectableRemotePortForwardingForwarder]
[sshmitm.plugins.tunnel.injectservertunnel:InjectableRemotePortForwardingForwarder]
server-tunnel-net = 127.0.0.1
Options:

server-tunnel-net (string) – 127.0.0.1
Specifies the local address or network interface where tunnel server sessions are served.

[sshmitm.plugins.tunnel.socks:SOCKSTunnelForwarder]
[sshmitm.plugins.tunnel.socks:SOCKSTunnelForwarder]
socks-listen-address = 127.0.0.1
socks5-username =
socks5-password =
Options:

  • socks-listen-address (string) – 127.0.0.1
    Specifies the listen address for the SOCKS server. Default is 127.0.0.1.

  • socks5-username (string) –
    Specifies the username for authenticating with the SOCKS5 server.

  • socks5-password (string) –
    Specifies the password for authenticating with the SOCKS5 server. Required if socks5-username is provided.