Surfing the internet through untrustworthy public networks whether wired or wireless has been known to be risky for a long time now. We all think twice before logging into our bank account or accessing any kind of sensitive information, but what about simply browsing our favourite site?
A Man in the Middle Attack (MITM) is a type of attack in which an attacker assumes the role of the default gateway and captures all the traffic going to and fro. A MITM attack allows the attacker to eavesdrop on the conversation between the parties, or to actively intervene in the conversation to achieve some illegitimate end. This is a very serious attack and also very easy to perform.
In the image above you will notice that the attacker inserted him/herself in-between the flow of traffic between the client and server. Now that the attacker has intruded into the communication between the two endpoints, he/she can inject false information and intercept the data transferred between them.
Subterfuge is a simple but devastatingly effective credential-harvesting program, which exploits vulnerabilities in the inherently trusting Address Resolution Protocol. Subterfuge provides the framework by which users can then leverage a MITM attack to do anything from browser/service exploitation to credential harvesting, thus equipping information and network security professionals and enthusiasts alike with a sleek “push-button” security validation tool.
Subterfuge is developed with the Python programming language and uses a SQLite database. ARPSpoof from the Dsniff suite is used to poison the target network. Subterfuge also uses SSLStrip to collect user credentials that were sent over a secure socket layer (SSL) web connection.
Subterfuge has a sleek web-based interface to allow a user to deploy the software quickly and easily without editing sophisticated text-based configuration files. Subterfuge automates the configuration process, or, alternatively, streamlines it with a Graphical User Interface (GUI). It also allows the user to view a report of all the different credentials that were harvested.
Subterfuge uses software like SSLStrip, evilgrade and ARPSpoof. These will be given a brief introduction below.
SSLStrip is a tool written by Moxie Marlinspike. It basically reroutes encrypted HTTPS requests from network users to plaintext HTTP requests, effectively sniffing all credentials passed along the network via SSL. The way it does this is it lets users connect via HTTP, logs their information, and then redirects their connection to the originally-intended HTTPS server on the internet.
Evilgrade is a modular framework that allows us to take advantage of poor update implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of a specific application.
ARPSpoof is a simple tool that allows a user to masquerade as the network gateway by spamming ARP Packets. This causes their MAC Address to be associated with the IP address of the default gateway, thereby initiating a MITM connection.
Subterfuge Advantages over other MITM Tools
- Intuitive Interface
- Easy to Use
- Silent and Stealthy
- Open Source
Modules in Subterfuge
Subterfuge contains several modules in it. These help you to customise your attack vendors. Multiple modules can be run simultaneously. Modules in Subterfuge are as follows:
- Network View
The Network View allows you to see everything happening on the network. It allows you to quickly and easily launch advanced attack vectors.
- Credential Harvester
The User Credential Harvester is the default module for Subterfuge. It allows the user to transparently downgrade an HTTPS session and steal user login credentials. This runs automatically when you hit “Start.
- Module Builder
Module Builder allows you to create your own modules. You can integrate your own attack code into the framework.
- Tunnel Block
This module will block all attempts to avoid MITM Exploitation through encrypted tunnelling protocols like VPNs, SSH, and other encrypted protocols. SSLStrip is not included in this module, because SSLStrip automatically runs with Subterfuge. Tunnel Block will prevent the following protocols: PPTP, Cisco IPSec, L2TP, OpenVPN, SSH.
- Denial of Service
This module disconnects a client from the network.
- HTTP Code Injection
- Session Hijacking
The session hijacking plug-in will allow a user to masquerade as a victim within the session that was hijacked. This attack occurs by stealing the cookie used to authenticate into a web service.
- Evilgrade update exploitation
Evilgrade is a tool that allows a user to spoof an update server on the network. When a victim starts up a program it automatically looks to see if updates exist. Evilgrade steps into this process and sends the victim a malicious payload.
- Settings menu
Subterfuge will attempt to auto-configure for your network. If it fails to configure the network automatically, you can go to the settings menu and manually configure it. The settings menu allows you to control and fine-tune different aspects of your attack, so if you’re a new user or seasoned vet you have control over Subterfuge.
Subterfuge is an Automated Man-in-the-Middle Attack Framework. Subterfuge Framework allows a user to circumvent many security protocols and policies on a computer network with ease and with devastating results to the victims. Subterfuge largely transforms the complexity of performing the Man in the Middle Attacks with the other existing tools and makes it far easier to launch various forms of MITMs. Subterfuge collects user information and credentials on the network to which they are connected. A Subterfuge user ought to be able to steal user credentials, without the victim’s knowledge, even when using a secure protocol such as HTTPS.