How to Spy on SSH Sessions with SSHPry2.0

Mar 23, 2020 10:56 PM
637005806507641592.jpg

SSH, or the secure shell, is a way of controlling a computer remotely from a command-line interface. While the information exchanged in the SSH session is encrypted, it's easy to spy on an SSH session if you have access to the computer that's being logged in to. Using a tool called SSHPry, we can spy on and inject commands into the SSH sessions of any other user logged in to on the same machine.

For remote access needs like updating, running command-line tools, or other sorts of administrative maintenance, SSH has been the go-to for hackers and IT professionals alike. While SSH is an excellent way of accessing a device remotely over the network, users should assume no such protection when logging into a shared computer.

SSH Isn't So Secure on a Shared Machine

While SSH is secure when used across a network, the same protection does not apply if you're logged into the same machine that an attacker has access to. Everything you type is visible to anyone who can access the machine either locally or remotely, making it easy for an attacker to either silently observe everything you do or inject their own commands.

The tool for spying on SSH sessions is called SSHPry2.0, and it first appeared during a CTF in which two players were both logged into the same Ubuntu computer via SSH. Each player was trying to kick the other one out and would identify the SSH process number of the other player and kick them out by killing process ID. While this worked, you couldn't see what your opponent is doing, and it gave you a pretty high chance of accidentally killing your own process and kicking yourself out.

SSHPry2.0 allows a hacker to identify all current SSH sessions and then casually drop in on any of them like it's a group chat. With SSHPry2.0, it's easier to just type "exit" into any SSH session you don't want running, as it will instantly disconnect the user.

What You'll Need

To follow along, you'll need to have at least two computers connected to the same network, with one running an SSH server for you to log in to. I recommend using Kali or Ubuntu as the target computer.

You'll also need to have Python installed on the computer you want to spy on SSH connections to. After that, you'll need to log in via SSH to your target computer twice, so that you can use one session to spy on the other.

Step 1: Log in to Your Linux Computer Remotely

First, we're going to open an SSH connection to our remote computer. Make sure SSH is working by running the following command.

~$ sudo service ssh status

You should see some output like below if SSH is working properly.

● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-07-28 12:47:07 PDT; 1 weeks 0 days ago
 Main PID: 980 (sshd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/ssh.service
           └─980 /usr/sbin/sshd -D

If SSH is up and running, get the IP address of your target computer by typing ifconfig or running an arp-scan from the attacker's computer.

Once you have the IP address of the computer you want to log in to, open a terminal window and type the following to log in, substituting the IP address of your device.

~$ ssh root@192.168.0.16

The default password to both Ubuntu and Kali should be "toor" so give that a try first. Otherwise, log in with whatever password you set on the target device.

Step 2: Start a Second SSH Session

Now, it's time to start a second SSH session. In a real-world scenario, this could be another employee or an attacker exploiting an SSH vulnerability. In a new terminal window, log in again with the same ssh root@192.168.0.16 command, making sure you substitute in the IP address of the target.

Once you've got both sessions up and running, you have everything you need for one session to spy on the other.

Step 3: Download SSHPry

To start spying on the other session, download SSHPry.20 by running the following command on the target computer.

~$ git clone https://github.com/nopernik/SSHPry2.0.git

From there, type cd SSHPry2.0 to go to the newly downloaded SSHpry directory.

637005802910610120.jpg

Now, we can run the ./sshpry2.py with Python2 to get a list of available commands.

~$ sudo python ./sshpry2.py

[sudo] password for toor:

SSHPry2 SSH-TTY control by @nopernik 2017

Usage: sshpry2.py [OPTIONS]

Args: --auto                # Lazy mode, auto-attach to first found session
      --list                # List available SSH Sessions
      --tty /dev/pts/XX     # Point SSHPry to specific TTY
      --raw                 # Record and Play raw term output, no timing.
      --replay <file>       # Replace previously recorded session.
      --speed 4             # Replay speed multiplier (Default: 4).

             ----- root privileges required! -----

Now that SSHPry is ready to go, we'll move on to detecting our target session.

Step 4: Detect Other Terminal Sessions

Let's try detecting the other SSH session we have logged in. Run the ./sshpry2.py script again with Python2, but this time add the --list flag to show a list of active SSH sessions.

~$ sudo python ./sshpry2.py --list

SSHPry2 SSH-TTY control by @nopernik 2017

[+] Getting available ssh connections...
[+] Found active SSH connections:
    PID: 8960 | TTY: /dev/pts/3 (toor)

[!] Choose yours with "--tty TTY" switch

toor@toor:~/SSHPry2.0$

Here, we've detected a session actively logged in that's not our own! Now, we can drop in on this active session and see what's going on.

Step 5: Drop in on Another Users Terminal Session

Now that we've verified that there is an active session, we can connect to it using the "auto" flag. Run the command below to try connecting automatically.

~$ sudo python ./sshpry2.py --auto

If there is another active connection, you should see a result like below. In the picture, the left side is the attacker, and the right side is the target logged in to the same computer.

637005790522328786.jpg

Everything the target does is instantly mirrored to the attacker's screen. Of course, the reverse is true as well, so the attacker on the left can inject commands into the target on the right's SSH session as though their keyboard was attached to the target's computer.

To test out the connection, try typing something in either one of the logged-in sessions. They should mirror each other exactly.

SSHPry Works for Post-Exploitation or Detecting Intrusions

There are a lot of useful applications for being able to slip into another active SSH session. One might be merely losing access to your own session due to a computer crashing or freezing, and wanting to pick up where you left off. Another might be wanting to check to ensure that no one besides you is logged into your computer via SSH. Finally, for pentesters looking for a way to escalate their post-exploitation kit, a little SSH espionage could go a long way to discovering new attack surfaces.

I hope you enjoyed this guide to dropping in on other user's SSH sessions with SSHPry.20! If you have any questions about this tutorial on SSH spying, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.

Cover image and screenshots by Kody/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!