Terrapin Attack Breaking Down SSH Security — Video Tutorial

Navigating the Terrapin Attack Landscape — Understanding, Detecting, and Mitigating SSH Vulnerabilities

Watch on YouTube · Read the written article

Tutorial summary

What you'll learn

Introduction
Terrapin Attack Overview
Implementation Flaws and Exploitation
Practical Considerations
Vulnerability Scanner
FAQs and Mitigation
Vulnerability and CVE Numbers
Attack Practicality and Naming
Responsible Disclosure Timeline
Links

Introduction SSH (Secure Shell) serves as a crucial internet standard, providing secure access to network services, including remote terminal login and file transfer across organizational networks and over 15 million servers on the open internet. Terrapin Attack Overview The Terrapin attack, a prefix truncation assault on the SSH protocol, disrupts the integrity of the secure channel by manipulating sequence numbers during the handshake. This manipulation allows an attacker to remove messages at the channel’s initiation, downgrading connection security by truncating extension negotiation messages. Such truncation can compromise client authentication algorithms and deactivate specific countermeasures in OpenSSH 9.5. Implementation Flaws and Exploitation Terrapin extends its impact by exploiting implementation flaws. Weaknesses in the AsyncSSH servers’ state machine enable attackers to sign a victim’s client into another account unnoticed, potentially granting Man-in-the-Middle capabilities within encrypted sessions and facilitating strong phishing attacks. Practical Considerations To execute the Terrapin attack, a Man-in-the-Middle attacker with network layer interception capabilities is required. The connection must be secured using ChaCha20-Poly1305 or CBC with Encrypt-then-MAC, a configuration found in the majority of real-world SSH sessions according to a comprehensive scan. Vulnerability Scanner A vulnerability scanner, provided in Go, enables users to assess SSH server or client vulnerability to the Terrapin attack. It checks for susceptible encryption modes and the support of the strict key exchange countermeasure, without executing the full attack. - https://github.com/RUB-NDS/Terrapin-Scanner/releases/latest - command line test for the host `rhel.example.com` ```bash ./Terrapin_Scanner_MacOS_arm64_darwin -connect rhel.example.com ``` - output for VULNERABLE host ```bash ================================================================================ ==================================== Report ==================================== ================================================================================ Remote Banner: SSH-2.0-OpenSSH_8.7 ChaCha20-Poly1305 support: true CBC-EtM support: false Strict key exchange support: false The scanned peer is VULNERABLE to Terrapin. Note: This tool is provided as is, with no warranty whatsoever. It determines the vulnerability of a peer by checking the supported algorithms and support for strict key exchange. It may falsely claim a peer to be vulnerable if the vendor supports countermeasures other than strict key exchange. For more details visit our website available at https://terrapin-attack.com ``` - usage ```bash Terrapin Vulnerability Scanner v1.1.0 Usage of ./Terrapin_Scanner_MacOS_arm64_darwin: -connect string Address to connect to for server-side scans. Format: <host>[:port] -help Prints this usage help to the user.

About this tutorial

Author: Luca Berton
Difficulty: Beginner
Read time: 4 min
Category: troubleshooting

Topics covered

Related video tutorials