Subterfuge: The Automated Man-in-the-Middle Attack Framework
Introduction
Surfing the internet through untrustworthy public networks whether wired or wireless has been known to be risky for a long time now. We all think twice
before logging into our bank account or accessing any kind of sensitive information, but what about simply browsing our favourite site?
A Man in the Middle Attack (MITM) is a type of attack in which an attacker assumes the role of the default gateway and captures all the traffic going to
and fro. A MITM attack allows the attacker to eavesdrop on the conversation between the parties, or to actively intervene in the conversation to achieve
some illegitimate end. This is a very serious attack and also very easy to perform.
In the image above you will notice that the attacker inserted him/herself in-between the flow of traffic between client and server. Now that the attacker
has intruded into the communication between the two endpoints he/she can inject false information and intercept the data transferred between them.
Subterfuge
Subterfuge is a simple but devastatingly effective credential-harvesting program, which exploits vulnerabilities in the inherently trusting Address
Resolution Protocol. Subterfuge provides the framework by which users can then leverage a MITM attack to do anything from browser/service exploitation to
credential harvesting, thus equipping information and network security professionals and enthusiasts alike with a sleek “push-button” security validation
tool.
Subterfuge is developed with the Python programming language and uses a SQLite database. ARPSpoof from the Dsniff suite is used to poison the target
network. Subterfuge also uses SSLStrip to collect user credentials that were sent over a secure socket layer (SSL) web connection.
Why Subterfuge?
Subterfuge has a sleek web based interface to allow a user to deploy the software quickly and easily without editing sophisticated text-based configuration
files. Subterfuge automates the configuration process or, alternately, streamlines it with a Graphical User Interface (GUI). It also allows the user to
view a report of all the different credentials that were harvested.
Subterfuge uses the software like SSLStrip, evilgrade and ARPSpoof.
SSLStrip is a tool written by Moxie Marlinspike. It basically reroutes encrypted HTTPS requests from network users to plaintext HTTP requests, effectively
sniffing all credentials passed along the network via SSL. The way it does this is it lets users connect via HTTP, logs their information, and then
redirects their connection to the originally-intended HTTPS server on the internet.
Evilgrade is modular framework that allow us to take advantage of poor update implementations by injecting fake updates. It works with modules, each module
implements the structure needed to emulate a false update of specific application.
ARPSpoof is a simple tool that allows a user to masquerade as the network gateway by spamming ARP Packets. This causes their MAC Address to be associated
with the IP address of the default gateway thereby initiating a MITM connection.
Subterfuge Advantages over other MITM Tools
- Intuitive Interface
- Easy to Use
- Silent and Stealthy
- Open Source
Modules in subterfuge
Subterfuge contains several modules in it. These help you to customise your attack vendors. Multiple modules can be run simultaneously. Modules in
subterfuge are as follows:
- Network View
The Network View allows you to see everything happening on the network. It allows you to quickly and easily launch advanced attack vectors.
The User Credential Harvester is the default module for Subterfuge. It allows the user to transparently downgrade an HTTPS session and steal user login
credentials. This runs automatically when you hit "Start.
- Module Builder
Module Builder allows you to create your own modules. you can integrate your own attack code into the framework.
- Tunnel Block
This module will block all attempts to avoid MITM Exploitation through encrypted tunnelling protocols like VPNs, SSH, and other encrypted protocols
SSLStrip is not included in this module, because SSLStrip automatically runs with Subterfuge. Tunnel Block will prevent the following protocols: PPTP,
Cisco IPSec, L2TP, OpenVPN, SSH.
This module disconnects a client from the network.
Subterfuge's HTTP Code Injection Module allows a user to inject custom payloads directly into a target's browsing session. Payloads can be anything from
simple javascript/HTML injections to browser exploits.
- Session Hijacking
The session hijacking plug-in will allow a user to masquerade as a victim within the session that was hijacked. This attack occurs by stealing the cookie
used to authenticate into a web service.
- Evilgrade update exploitation
Evilgrade is a tool that allows a user to spoof an update server on the network. When a victim starts up a program it automatically looks to see if updates
exist. Evilgrade steps into this process and sends the victim a malicious payload.
Setting Menu
Setting Menu
Subterfuge will attempt to auto-configure for your network. If it fails to configure network automatically you can go to settings menu and manually
configure it. The settings menu allows you to control and fine tune different aspects of your attack so if you’re a new user or seasoned vet you have
control over Subterfuge
Conclusion
Subterfuge is an Automated Man-in-the-Middle Attack Framework. Subterfuge Framework allows a user to circumvent many security protocols and policies on a
computer network with ease and with devastating results to the victims. Subterfuge largely transforms the complexity of performing the man-in-the-middle
attacks with the other existing tools and makes it far easier to launch various forms of MITMs. Subterfuge collects user information and credentials on the
network to which they are connected. A Subterfuge user ought to be able to steal user credentials, without the victim’s knowledge, even when using a secure
protocol such as HTTPS.
References
- http://subterfuge.googlecode.com/
No comments:
Post a Comment