terrapinattack.py is a Proof of Concept (PoC) script written in Python that demonstrates the SSH Prefix Truncation Attack. This script functions as an active Man-in-the-Middle (MitM) proxy, manipulating SSH packet sequence numbers during the handshake phase to disable critical security features.
This script exploits vulnerabilities in the SSH Binary Packet Protocol (BPP) by performing three core manipulations:
- Handshake Interception: Acts as a bridge between the SSH client and the target server on a specified port (default: 2222).
- Sequence Number Injection: Detects the
KEXINITpacket (Type 20). The proxy injects anSSH_MSG_IGNOREpacket to intentionally shift the internal sequence numbers on the client side. - Prefix Truncation: Once encryption is initialized, the proxy identifies the
EXT_INFOpacket (Type 7). Due to the pre-injected sequence shift, the proxy can drop this packet without immediately breaking the connection. This results in the loss of modern security extensions (such as keystroke timing protection).
- Python 3.x (No external dependencies; uses built-in
socketandselectmodules). - A target SSH server that supports
ChaCha20-Poly1305orCBC-EtMciphers and has not implemented Strict Key Exchange.
Edit the target parameters at the bottom of the script:
terrapin_proxy(2222, 'target.server.id', 22)