SSH, or the secure shell, is a way of controlling a computer remotely from a command-line interface. While the information exchanged in the SSH session is encrypted, it's easy to spy on an SSH session if you have access to the computer that's being logged in to. Using a tool called SSHPry, we can spy on and inject commands into the SSH sessions of any other user logged in to on the same machine.
For remote access needs like updating, running command-line tools, or other sorts of administrative maintenance, SSH has been the go-to for hackers and IT professionals alike. While SSH is an excellent way of accessing a device remotely over the network, users should assume no such protection when logging into a shared computer.
- Don't Miss: Track a Target Using Canary Token Tracking Links
While SSH is secure when used across a network, the same protection does not apply if you're logged into the same machine that an attacker has access to. Everything you type is visible to anyone who can access the machine either locally or remotely, making it easy for an attacker to either silently observe everything you do or inject their own commands.
The tool for spying on SSH sessions is called SSHPry2.0, and it first appeared during a CTF in which two players were both logged into the same Ubuntu computer via SSH. Each player was trying to kick the other one out and would identify the SSH process number of the other player and kick them out by killing process ID. While this worked, you couldn't see what your opponent is doing, and it gave you a pretty high chance of accidentally killing your own process and kicking yourself out.
SSHPry2.0 allows a hacker to identify all current SSH sessions and then casually drop in on any of them like it's a group chat. With SSHPry2.0, it's easier to just type "exit" into any SSH session you don't want running, as it will instantly disconnect the user.
- Don't Miss: Use SpiderFoot for OSINT Gathering
To follow along, you'll need to have at least two computers connected to the same network, with one running an SSH server for you to log in to. I recommend using Kali or Ubuntu as the target computer.
You'll also need to have Python installed on the computer you want to spy on SSH connections to. After that, you'll need to log in via SSH to your target computer twice, so that you can use one session to spy on the other.
First, we're going to open an SSH connection to our remote computer. Make sure SSH is working by running the following command.
~$ sudo service ssh status
You should see some output like below if SSH is working properly.
● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-07-28 12:47:07 PDT; 1 weeks 0 days ago Main PID: 980 (sshd) Tasks: 1 (limit: 4915) CGroup: /system.slice/ssh.service └─980 /usr/sbin/sshd -D
If SSH is up and running, get the IP address of your target computer by typing ifconfig or running an arp-scan from the attacker's computer.
Once you have the IP address of the computer you want to log in to, open a terminal window and type the following to log in, substituting the IP address of your device.
~$ ssh firstname.lastname@example.org
The default password to both Ubuntu and Kali should be "toor" so give that a try first. Otherwise, log in with whatever password you set on the target device.
Now, it's time to start a second SSH session. In a real-world scenario, this could be another employee or an attacker exploiting an SSH vulnerability. In a new terminal window, log in again with the same ssh email@example.com command, making sure you substitute in the IP address of the target.
Once you've got both sessions up and running, you have everything you need for one session to spy on the other.
To start spying on the other session, download SSHPry.20 by running the following command on the target computer.
~$ git clone https://github.com/nopernik/SSHPry2.0.git
From there, type cd SSHPry2.0 to go to the newly downloaded SSHpry directory.
Now, we can run the ./sshpry2.py with Python2 to get a list of available commands.
~$ sudo python ./sshpry2.py [sudo] password for toor: SSHPry2 SSH-TTY control by @nopernik 2017 Usage: sshpry2.py [OPTIONS] Args: --auto # Lazy mode, auto-attach to first found session --list # List available SSH Sessions --tty /dev/pts/XX # Point SSHPry to specific TTY --raw # Record and Play raw term output, no timing. --replay <file> # Replace previously recorded session. --speed 4 # Replay speed multiplier (Default: 4). ----- root privileges required! -----
Now that SSHPry is ready to go, we'll move on to detecting our target session.
Let's try detecting the other SSH session we have logged in. Run the ./sshpry2.py script again with Python2, but this time add the --list flag to show a list of active SSH sessions.
~$ sudo python ./sshpry2.py --list SSHPry2 SSH-TTY control by @nopernik 2017 [+] Getting available ssh connections... [+] Found active SSH connections: PID: 8960 | TTY: /dev/pts/3 (toor) [!] Choose yours with "--tty TTY" switch toor@toor:~/SSHPry2.0$
Here, we've detected a session actively logged in that's not our own! Now, we can drop in on this active session and see what's going on.
Now that we've verified that there is an active session, we can connect to it using the "auto" flag. Run the command below to try connecting automatically.
~$ sudo python ./sshpry2.py --auto
If there is another active connection, you should see a result like below. In the picture, the left side is the attacker, and the right side is the target logged in to the same computer.
Everything the target does is instantly mirrored to the attacker's screen. Of course, the reverse is true as well, so the attacker on the left can inject commands into the target on the right's SSH session as though their keyboard was attached to the target's computer.
To test out the connection, try typing something in either one of the logged-in sessions. They should mirror each other exactly.
There are a lot of useful applications for being able to slip into another active SSH session. One might be merely losing access to your own session due to a computer crashing or freezing, and wanting to pick up where you left off. Another might be wanting to check to ensure that no one besides you is logged into your computer via SSH. Finally, for pentesters looking for a way to escalate their post-exploitation kit, a little SSH espionage could go a long way to discovering new attack surfaces.
I hope you enjoyed this guide to dropping in on other user's SSH sessions with SSHPry.20! If you have any questions about this tutorial on SSH spying, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.