Spoofing git clone (SSH Protocol)

[aabusai1]

Hello,
any idea if i can spoof what users are trying to clone using git clone cmd ? ? I'm struggling figuring out my git/ssh config to use with ssh-mitm.

Thanks

[manfred-kaiser]

When git is used over SSH, SSH-MITM is able to intercept the connection.

Intercept git over SSH

In most cases, publickey authentication is used to authenticate against the remote server. To intercept the whole connection, you have to start git with agent forwarding configured. This can be done with the GIT_SSH_COMMAND environment variable.

Following setup can intercept the connection to github and prints the data as hexdump.

# start the ssh server
ssh-mitm server --remote-host github.com --scp-interface debug_traffic

# invoke git commands
GIT_SSH_COMMAND="ssh -A" git clone ssh://git@127.0.0.1:10022/ssh-mitm/ssh-mitm.git

Note: For testing purposes against Github you should use a ssh-agent with a single key. SSH-MITM tries to detect, if the intercepted user is allowed to login on the remote server with publickey authentication. Github only allows a small amount of those lookups and too many lookups can result in failed login attempts, even if the user is allowed to login over ssh.

manipulate a git repository during git clone

Git has some security features which makes it hard to manipulate a git repository during git operations. For example you can rewrite the git history or add some new commits, but it's likely that this will be detected. If the client tires to update from a rewritten history, this will not work by default. Adding new commits can work as long as the commits are not signed and the user does not read commit messages.

SSH-MITM is able to read and modify the content. This allows SSH-MITM to modify the data which is sent to the client.

You have 2 options to create fake commits:

1. modify the data with SSH-MITM -> this is very difficult and you need to write a specific plugin for git.
2. redirect the traffic to another git server, where you have a modified version of the git repository.

Why is git not supported by SSH-MITM

git is an application similar to SCP or rsync. Those applications establish a connection over ssh and a server application is executed. The client is communication over SSH with the server part.

SSH-MITM is able to read and modify the raw data, which is transmitted over SSH. For a deeper integration with the application specific plugins must be created. This was done for SCP, because SCP is related to SSH, but the SCP protocol had to be implemented in SSH-MITM to understand the file transfer.

git is a complex application and implementing the whole communication in SSH-MITM is out of scope. SSH-MITM primary goal is to provide a tool for SSH audits and not for specific applications like git.

It's the same reasons why Burp Suit (HTTP man in the middle proxy) is able to read and modify data from git operations, but does not understand git over HTTPS itself.

[aabusai1]

Thanks for the reply. I was hoping to simply use local port forwarding (22:localhost:10027) with locally running ssh-mitm server to be able to intercept the clone request. I would appreciate your help if you can point me to any tool to achieve above.

thanks again!

[manfred-kaiser]

What do you want to achieve with this setup?
Do you want to intercept git users in a network (e.g. public wifi) or do you want to audit the git application or a git server?

SSH-MITM is an audit tool. You can use it for red team actions, but it's not the primary goal. It's more like "Burp Suite" for SSH and should be used to intercept single connections and not for whole networks.

Audit a specific git client or server

If you want to audit a git client, you have several options. There are more ssh and git implementations than OpenSSH and git.

If you want to audit a client, you can configure the client to use SSH-MITM. Most clients should support differnt ports and I recomment using SSH-MITM's default port. In cases, where you need port 22, you can start SSH-MITM with the argument ssh-mitm server --listen-port 22

Most clients only support publickey authentication. So you need to trick the client to forward the agent:
GIT_SSH_COMMAND="ssh -A" git clone ssh://git@127.0.0.1:10022/ssh-mitm/ssh-mitm.git

If agent forwarding is not possible you can provide a fallback host and fallback credentials.

$ ssh-mitm server --remote-host 192.168.0.x \
    --enable-auth-fallback \
    --fallback-host HONEYPOT \
    --fallback-username HONEYPOT_USER \
    --fallback-password HONEYPOT_PASSWORD

This will try to login to the remote server 192.168.0.x. If the client is allowed to login, but login is not possible because of a missing agent SSH-MITM redirects the client to a honeypot. At the moment SSH-MITM only supports password authentication for the honeypot, but this is sufficient for most audits and the client is happy because publickey authentication was possible.

Intercept whole network

If you want to intercept a whole network, you can try the transparent mode (experimental and unsupported), which is documented in the docs: https://docs.ssh-mitm.at/user_guide/advanced-usage.html
Please understand, that I can not provide support for the transparent mode. Each setup is different and takes a lot of time to configure. Perhaps you can ask for help in a different forum like https://security.stackexchange.com/

Intercepting git users over SSH might not be possible, because most of them are using publickey authentication without agent forwarding. See docs about authentication: https://docs.ssh-mitm.at/user_guide/authentication.html and https://docs.ssh-mitm.at/user_guide/sshagent.html

Alternatives

If you want to intercept git and HTTP/HTTPS is an option, you should try to intercept the connection with a HTTP man in the middle server. In most cases the clients requires a token and such tokens can be intercepted.

But even if you are intercepting the connection with HTTPS, you have the problem to understand the git protocol.

[manfred-kaiser]

I found your discussion in the mitmproxy repo: mitmproxy/mitmproxy#5518

Perhaps you should try to intercept the git repository over HTTP with this tool

[manfred-kaiser]

I was hoping to simply use local port forwarding (22:localhost:10027) with locally running ssh-mitm server to be able to intercept the clone request. I would appreciate your help if you can point me to any tool to achieve above.

There are no tools to modify the git protocol itself. When talking about git, there are 2 kinds of protocols.

The first one is the protocol, which is used to communicate with the git server. There are HTTP and SSH defined.
You can find more information about this in the git book: https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols
For HTTP, there are many tools, which can be used to intercept the traffic. For SSH, there is only SSH-MITM. You can try other mitm servers for SSH, but most of them are not capable to read and modify the data.

The second is the git protocol itself. This is described in: https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols
This is the part, which has to be implemented, if you want to spoof git repositories. 😉

Example: intercepting git clone

Start SSH-MITM with the plugin to print the intercepted traffic as hex dump:

ssh-mitm server --remote-host 192.168.x.x --remote-port 22 --scp-interface debug_traffic

Connect the client to SSH-MITM with agent forwarding enabled, which is required to intercept publickey auhtentication:

GIT_SSH_COMMAND="ssh -A" git clone ssh://git@127.0.0.1:10022/username/repository.git

Output of SSH-MITM:

This is described in: https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols

To modify the data, you need a plugin which is able to understand the structure of a git repository.
This plugin can modify the data, which is sent to the client.

Server data:
0000:    30 30 66 32 65 39 31 62 33 36 62 30 66 35 31 65    00f2e91b36b0f51e
0010:    31 38 30 39 63 65 30 34 61 30 36 32 33 65 30 39    1809ce04a0623e09
0020:    35 65 30 36 35 62 32 39 36 66 33 61 20 48 45 41    5e065b296f3a HEA
0030:    44 00 6d 75 6c 74 69 5f 61 63 6b 20 74 68 69 6e    D.multi_ack thin
0040:    2d 70 61 63 6b 20 73 69 64 65 2d 62 61 6e 64 20    -pack side-band 
0050:    73 69 64 65 2d 62 61 6e 64 2d 36 34 6b 20 6f 66    side-band-64k of
0060:    73 2d 64 65 6c 74 61 20 73 68 61 6c 6c 6f 77 20    s-delta shallow 
0070:    64 65 65 70 65 6e 2d 73 69 6e 63 65 20 64 65 65    deepen-since dee
0080:    70 65 6e 2d 6e 6f 74 20 64 65 65 70 65 6e 2d 72    pen-not deepen-r
0090:    65 6c 61 74 69 76 65 20 6e 6f 2d 70 72 6f 67 72    elative no-progr
00A0:    65 73 73 20 69 6e 63 6c 75 64 65 2d 74 61 67 20    ess include-tag 
00B0:    6d 75 6c 74 69 5f 61 63 6b 5f 64 65 74 61 69 6c    multi_ack_detail
00C0:    65 64 20 73 79 6d 72 65 66 3d 48 45 41 44 3a 72    ed symref=HEAD:r
00D0:    65 66 73 2f 68 65 61 64 73 2f 6d 61 73 74 65 72    efs/heads/master
00E0:    20 61 67 65 6e 74 3d 67 69 74 2f 32 2e 31 31 2e     agent=git/2.11.
00F0:    30 0a 30 30 33 66 65 39 31 62 33 36 62 30 66 35    0.003fe91b36b0f5
0100:    31 65 31 38 30 39 63 65 30 34 61 30 36 32 33 65    1e1809ce04a0623e
0110:    30 39 35 65 30 36 35 62 32 39 36 66 33 61 20 72    095e065b296f3a r
0120:    65 66 73 2f 68 65 61 64 73 2f 6d 61 73 74 65 72    efs/heads/master
0130:    0a 30 30 30 30                                     .0000
Client data:
0000:    30 30 39 30 77 61 6e 74 20 65 39 31 62 33 36 62    0090want e91b36b
0010:    30 66 35 31 65 31 38 30 39 63 65 30 34 61 30 36    0f51e1809ce04a06
0020:    32 33 65 30 39 35 65 30 36 35 62 32 39 36 66 33    23e095e065b296f3
0030:    61 20 6d 75 6c 74 69 5f 61 63 6b 5f 64 65 74 61    a multi_ack_deta
0040:    69 6c 65 64 20 73 69 64 65 2d 62 61 6e 64 2d 36    iled side-band-6
0050:    34 6b 20 74 68 69 6e 2d 70 61 63 6b 20 6f 66 73    4k thin-pack ofs
0060:    2d 64 65 6c 74 61 20 64 65 65 70 65 6e 2d 73 69    -delta deepen-si
0070:    6e 63 65 20 64 65 65 70 65 6e 2d 6e 6f 74 20 61    nce deepen-not a
0080:    67 65 6e 74 3d 67 69 74 2f 32 2e 33 34 2e 31 0a    gent=git/2.34.1.
0090:    30 30 33 32 77 61 6e 74 20 65 39 31 62 33 36 62    0032want e91b36b
00A0:    30 66 35 31 65 31 38 30 39 63 65 30 34 61 30 36    0f51e1809ce04a06
00B0:    32 33 65 30 39 35 65 30 36 35 62 32 39 36 66 33    23e095e065b296f3
00C0:    61 0a 30 30 30 30 30 30 30 39 64 6f 6e 65 0a       a.00000009done.
Server data:
0000:    30 30 30 38 4e 41 4b 0a 30 30 32 30 02 43 6f 75    0008NAK.0020.Cou
0010:    6e 74 69 6e 67 20 6f 62 6a 65 63 74 73 3a 20 34    nting objects: 4
0020:    2c 20 64 6f 6e 65 2e 0a 30 30 36 65 02 43 6f 6d    , done..006e.Com
0030:    70 72 65 73 73 69 6e 67 20 6f 62 6a 65 63 74 73    pressing objects
0040:    3a 20 20 33 33 25 20 28 31 2f 33 29 20 20 20 0d    :  33% (1/3)   .
0050:    43 6f 6d 70 72 65 73 73 69 6e 67 20 6f 62 6a 65    Compressing obje
0060:    63 74 73 3a 20 20 36 36 25 20 28 32 2f 33 29 20    cts:  66% (2/3) 
0070:    20 20 0d 43 6f 6d 70 72 65 73 73 69 6e 67 20 6f      .Compressing o
0080:    62 6a 65 63 74 73 3a 20 31 30 30 25 20 28 33 2f    bjects: 100% (3/
0090:    33 29 20 20 20 0d 30 30 32 63 02 43 6f 6d 70 72    3)   .002c.Compr
00A0:    65 73 73 69 6e 67 20 6f 62 6a 65 63 74 73 3a 20    essing objects: 
00B0:    31 30 30 25 20 28 33 2f 33 29 2c 20 64 6f 6e 65    100% (3/3), done
00C0:    2e 0a 30 36 37 33 01 50 41 43 4b 00 00 00 02 00    ..0673.PACK.....
00D0:    00 00 04 9b 0c 78 9c a5 cc 4d 0a c2 30 10 40 e1    .....x...M..0.@.
00E0:    7d 4e 31 7b a1 a4 93 9f 52 10 e9 56 c4 43 4c d3    }N1{....R..V.CL.

[aabusai1]

Thanks for replying back and all the helpful information you provided. Only i want to do is audit git users and figure out what domain + repo they are trying to access (on a local host). One way i found out to do this is through enabling GIT_TRACE and dump the output to a file for later parsing.

Thanks again for all your help...

[hc-dev991]

Hello @manfred-kaiser,

Your post about ssh-mitm around git audits was pretty helpful.
I was able to configure ssh-mitm to audit git clone commands to github remote repo from my local, using configs mentioned in this thread as well as in https://docs.ssh-mitm.at/user_guide/advanced-usage.html.
However, when trying to do writes on the same branch (tracking github remote branch), git push fails with error:

fatal: the remote end hung up unexpectedly

and on the ssh-mitm process, the output was

                    INFO     ℹ b72e07c7-b16d-4da6-b491-420063043d9c - session
                             started
                    INFO     got remote command: git-receive-pack '/user/foo.git'
Server data:
...
Client data:
...
[02/22/23 17:28:08] INFO     ℹ session b72e07c7-b16d-4da6-b491-420063043d9c closed

note: not seeing the remote command exit code, while I was expecting something like

remote command: git-receive-pack '/user/foo.git' exited with code: 0

Question:

• is this expected that ssh-mitm does not work for git push?
• why does git clone working but not git push? Is it because ssh-mitm implements some of the git protocol but not all?

Appreciate your help!

[manfred-kaiser]

@hc-dev991 thanks for the feedback. I have created an issue ticket for this problem: #131

Intercepting git should work in both ways. The connection is not terminated properly. I suspect that SSH-MITM terminates the connection but either the server or the client must terminate it.

I will look into the problem as soon as I have time.