Monthly Archives: March 2013

Appendices

Appendix A: Subterfuge Functions

Setting your SYS Path

In order to access the resources in Subterfuge’s main directory

import sys

sys.path.append(‘/usr/share/subterfuge/’)

sys.path.append(‘/usr/share/subterfuge/utilities’)

This adds the main Subterfuge directory as well as the primary utilities directory into your program’s path. From there you can simply call built in functions and utilities without having to specify an absolute location every time.

How to Get Global Variables

Getting the global attack variables in Subterfuge is simple. Just add the following line to the header of your code:

from subutils import globalvars

The next step is to call the function and assign the output:

globalvar = globalvars()

The function: globalvars() returns a dictionary of all of the attack variables accessed from the database. Accessing a specific entry in the dictionary is simple:

print globalvar[‘gateway’]

The above code will print the LANs default gateway as noted by Subterfuge. You can use this same method to access other global attack information including the following tuples (located in the main_setup table):

Tuple

Description

ip

The IP Address of the Subterfuge Machine

iface

The interface used in the attack

gateway

The original default gateway of the LAN

autoconf

A Boolean value that determines whether auto-configuration is active

ploadrate

The interval over which Subterfuge refreshes attack information

injectrate

The interval Subterfuge waits between code injection

arprate

The interval Subterfuge waits between sending arp packets

smartarp

A Boolean value that determines whether Dynamic Poison Retention is active

routermac

The MAC Address of the LANs router

autoupdate

A Boolean value that determines whether Subterfuge checks for updates automatically on startup.

 

Adding Additional Logic to Third Party Modules

The Subterfuge Module Builder automates the standard configuration of a module for you, but often you need to have just a bit more control. What follows is a short primer on how to do just that.

The file that handles Subterfuge’s modules is: modules/views.py. The default code generated by Subterfuge looks like this:

#################################

#TUNNEL BLOCK MODULE

#################################

def tunnelblock():

os.system(‘python’+ str(os.path.dirname(os.path.abspath(__file__))) + ‘/TunnelBlock/TunnelBlock.py’)

 

You can modify or add any code here to produce the result that you want. For instance, in the HTTP Code Injection Module we needed a bit more control, and features. What we ended up with is this:

#################################

#HTTP CODE INJECTION MOD

#################################

def httpcodeinjection(request, conf):

#HTTP CODE INJECTION MODULE CONFIGURATION

#Status

status = request.POST[“status”]

#Vector

if request.POST[“vector”]:

exploit = request.POST[“vector”] + “\n”

method = “metasploit”

#Payload

if request.POST[“payload”]:

payload = request.POST[“payload”] + “\n”

if request.POST[“custominject”]:

exploit = “”

payload = “”

method = “custom”

#Write Custom Inject into File

with open(str(os.path.dirname(__file__)) + ‘/httpcodeinjection/inject.x’, ‘w’) as file:

file.writelines(request.POST[“custominject”])

installed.objects.filter(name = “httpcodeinjection”).update(active = status)

os.system(‘xterm -e sh -c “python ‘ + str(os.path.dirname(os.path.abspath(__file__))) + ‘/httpcodeinjection/httpcodeinjection.py ‘ + method + ‘ ‘ + payload + ‘” &’)

 

Note: Module code is typically stored under the following naming scheme:
          modules/<modulename>/<modulename>.py

 

Using the Subterfuge Notification System

Subterfuge is capable of sending alerts and notifications to users. The file that handles this interaction is: utilities/notification.py. Notifications serve a dual purpose of providing error logging and troubleshooting guidance. To add your own notifications run the program with the following syntax:

os.system(“python notification.py ‘title’ ‘message’”)

Appendix B: Subterfuge Database

Basics on the Subterfuge Database

Subterfuge uses a SQLite database due to the system’s portability. This database is further accessed with Django’s library. This makes accessing the database fairly simple if syntactically different then you may be familiar with. For queries not covered here you may wish to reference Django’s documentation[1].

Select Statement:

creds = credentials.objects.all()

Insert Statement:

logcred = credentials(username = username, password = password)                  logcred.save()

Update Statement:

setup.objects.update(value = newvalue)

 

That’s all it takes to do basic database operations in Subterfuge; however, in order to include database queries in a file outside of views.py you may need to import the following:

#Ignore Deprication Warnings  import warnings  warnings.filterwarnings(“ignore”, category=DeprecationWarning) from django.conf import settings

#Configure Database

settings.configure(DATABASE_ENGINE=”sqlite3″,

DATABASE_HOST=””,

DATABASE_NAME= os.path.dirname(__file__) + “/db”,

DATABASE_USER=””,

DATABASE_PASSWORD=””)

from django.db import models

#Import Tables

from main.models import *

 

Using the Subterfuge Database in your Modules

To access Subterfuge’s Database from your modules you must first import several dependencies.

 

 

 

 

References:

 

Special Thanks to:

Maj David Merritt

Lt Christopher Shields ~ r00t0v3rr1d3

n37tdiv3r5

 

References for Frontend Development =

Django Template Language:

https://docs.djangoproject.com/en/dev/topics/templates/

Python Programming Language:

http://docs.python.org/

 

SANS WPAD Hijacking:

http://it-audit.sans.org/blog/2011/10/03/browser-security-man-in-the-middle-with-wpad

 

[1] Barber, R. (2011, August 30). Security Science. Retrieved from Computer Fraud & Security Volume 2001, Issue 3.

[2] Kurose, J. and Ross, K. Computer Networking: A Top-Down Approach. 5th Edition. Addison-Wesley. Page 61

[3] Saltzman, R. (2011, August 30). Security Science. Retrieved from OWASP: http://www.security-science.com/pdf/active-man-in-the-middle.pdf

[4] Leitch, S. (2009). Security Issues Challenging Facebook. Retrieved from Edith Cowan University Research Online: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1017&context=ism&sei-redir=1#search=%22facebook%20secure%22

[5] Wagner, R. (2011, August 30). Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks. Retrieved from http://savannah.gatech.edu/people/lthames/dataStore/WormDocs/arppoison.pdf

[6] Norton, D. (2011). An Ettercap Primer. SANS Institute, 1-27.

[7] Marlinspike, M. (2011, August 30). Blackhat. Retrieved from http://blackhat.com/presentations/bh-europe-09/Marlinspike/blackhat-europe-2009-marlinspike-sslstrip-slides.pdf

[8] Song, D. (2012, January 1). Dsniff Frequently Asked Questions. Retrieved from http://www.monkey.org/~dugsong/dsniff/faq.html

[9] Ogle, J. and Wagner, E. (2012, March 8). Hotel Network Security: A Study of Computer Networks in U.S. Hotels. Retrieved from http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html



[1] Django documentation: https://docs.djangoproject.com/en/dev/topics/templates/

Contributing to the Project

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me… Or feels threatened by me…

The Mentor

Vision

Subterfuge is still a work in progress. The project has seen an exciting amount of community support, but we still have a long way to go. Our goal is to create an all-encompassing framework from which to easily launch attacks against the LAN. Subterfuge will continue to integrate with other pieces of the penetration tester’s toolkit to allow a user to efficiently conduct a full spectrum penetration test.

In the future we would like Subterfuge to contain a database of possible attack methods and vectors in order to demonstrate the risk and vulnerability respectively. Because of the modular nature of the framework expandability should continue to be simple.

What can you do?

If you’re interested in contributing to the Subterfuge Project we might be able to use your help. As the framework is still in Beta any reviews, comments, or critiques are helpful. We also appreciate any and all issues logged on our Google Code site; we try to get to those bugs as quickly as possible. If you would like to go a step further feel free to contact us with suggestions, or develop your own modules. If you submit them to us we’ll try to get them added to the package for you.

Other than that the simple support you all give is always helpful. Thanks. Now go hack!

Extending Subterfuge

Dichotomy of the Attack

The first thing to consider as you look to extend Subterfuge is the anatomy of any Man-in-the-Middle attack. There is the exploit (the part that yields a MITM position), and the vector (the part that uses a MITM position to accomplish nefarious ends). If you are considering extending Subterfuge the first thing to ask yourself is: which category does my attack fit into?

This split view of a MITM strike is what we refer to as the Dichotomy of the Attack. In virtually all past scenarios using a MITM exploit to accomplish a goal the attacker has had to construct both the exploit and the handle. Subterfuge splits those two things apart, and allows the attacker freedom through increased efficiency.

Module Builder

When we built Subterfuge we wanted to make something that anyone could use and customize. Those two ideas tend to bash heads in almost every application, but in Subterfuge that was a key goal from the outset. In order to yield this functionality we developed the Module Builder. The point of this piece of the Framework is to automatically generate the backend management features for an attack, while simultaneously configuring a frontend method to facilitate interaction. All that is to say that our goal with the module builder was to create something that would allow a user to feed Subterfuge an attack vector or plugin and expect Subterfuge to do the rest.

Most programs have three defining features: the backend (database), the core (logic center), and the frontend (GUI). When we develop an attack we tend to focus on that middle part, the guts of the whole operation. Nevertheless, when we want that attack to work well and simply; we shift focus to those other two pieces, tedious as they may be. That’s where the Subterfuge Module Builder comes in. It dynamically generates a platform for both of those pieces giving us a place to start and significantly expediting the whole process.

Firstly, the module builder will generate a fairly generic graphical user interface for any program that it has been given. This means that a developer has to write very little, if any, frontend code to assist a handler in using his attack method.

Subterfuge comes with a database API to allow for seamless integration with the existing system. If you are developing an attack that requires detailed network information in order to function dynamically, the chances are Subterfuge has already catalogued that information. Accessing the information that Subterfuge stores is simple. For specific guidelines on syntax see Appendix B.

If your attack requires a database to store or track information it is simple to add the keyspace for it into Subterfuge’s database. Subterfuge comes with a function to rebuild its database provided you specify the tables. The framework takes steps to abstract the SQL in order to make working with the database more straight forward. See Appendix B for more specifics.

Building Plugins

The first version of Subterfuge to come with its own module builder was 3.0. As of this writing (Version 4.3) the module builder can only create attack vectors. Both the Tunnel Block Module and the DOS Module were created with the Subterfuge Module Builder. Nevertheless, more advanced vectors like the HTTP Code Injection Module still require significant code configuration in order to fully integrate them into the framework. In future releases of Subterfuge this process will become increasingly streamlined, but at the moment if there is a need for significant logic outside of the tool itself a user must personally modify the modules/views.py file. More information on how to accomplish this can be found in Appendix A.

Building Attack Modules

This split view of a MITM strike is what we refer to as the Dichotomy of the Attack. In virtually all past scenarios using a MITM exploit to accomplish a goal the attacker has had to construct both the exploit and the vector. Subterfuge splits those two things apart, and allows the attacker freedom through increased efficiency.

Modify/Customizing GUIs

This split view of a MITM strike is what we refer to as the Dichotomy of the Attack. In virtually all past scenarios using a MITM exploit to accomplish a goal the attacker has had to construct both the exploit and the vector. Subterfuge splits those two things apart, and allows the attacker freedom through increased efficiency.

(((NOT DONE)))

.mod files/JavaScript to look out for/functions

Program Structure

Subterfuge leverages the Python Django Framework in order to render its html interface. Django has a template system that it further utilizes to yield a web page. Django is built on the DRY Principle that is to say that in Django you (Don’t Repeat Yourself). While this can streamline the building significant projects, it can be somewhat difficult to wrap one’s head around, at least initially.

In Subterfuge we designate files with differing extensions pertaining to their function. Multiple pages are strung together to create each webpage that is rendered. The file extensions and a brief description thereof follow:

Core Files:

.py:      python, .py files are where Subterfuge’s logical core resides. The majority of these files do not interact with the GUI directly.

.rc:      resource, .rc files are the mechanism Subterfuge uses to communicate with the Metasploit Framework to facilitate the serving of exploits.

Template Files:

.tm:     template, a .tm file is the basis from which the website is created; it calls the other files in the order required by the web browser.

.ext:    extends, a .ext file is used to extend a template, or .tm file. This is the file that is called by the Django server, and should contain the bulk of user specific data.

.inc:    include, a .inc file is used for files that will likely be rendered within multiple templates.

.mod:  module, .mod files pertain to the interface for any given module. Every module has one, and they are typically generated by the Module Builder.

Miscellaneous Files:

.conf:  configuration, a .conf file is used to store static programmatic information. These are being replaced by the database and python import files. The primary configuration file is deprecated as of Version 5.0.

.log:    log, a .log file is used to store temporary information. Current Subterfuge logs are unnecessary to the operation of the program.

.lst:     list, a .lst file stores a line separated list of information. Subterfuge currently uses .lst files to store password and username field information for credential harvesting.

 

The Subterfuge directory structure is designed for modularity and expandability. This makes it confusing at a glance. Below we define the layout of the program:

./                                 — Primary directory

definitions/              — Directory for credential harvesting .lst files

main/                         — Location of primary Subterfuge logic

            utilities/                    — Location of attack tools

            sslstrip/                    — Location of Moxie Marlinspike’s SSLStrip

            modules/                  — Directory for Subterfuge Modules

            templates/                — Web Directory

 

The web directory structure is much like that of a standard website; however, there are some key differences. The first is that because Subterfuge’s frontend is a Django Application all elements in the web directory must be referenced with /static/. Logically, /static/ is equivalent to template/. Within template/ the directory structure is as follows:

css/                            — Directory for CSS Files

images/                     — Directory for Images in the webpage

            includes/                  — Directory for .inc files

            js/                               — Directory for .js files

            mods/                        — Directory for .mod files

            /static/                      — Web directory, hosts all .ext and .tm files in

     addition to subdirectories.

           

The most important feature of Django is that it allows for concurrent frontend and backend development. This feature allows us to expand Subterfuge dynamically without having to devote focus on any given aspect prematurely. The heart of Subterfuge is located in the main/views.py file. Every page, configuration, function, and control is managed through this file. In rendering a page the views file will make the database queries and backend logic. Then it forwards that information to a template file. The template file is the basis for any page in Subterfuge. The standard template used in Subterfuge will import all style sheets and libraries, instantiate variables, and provide the head navigation scheme.

A sample template file looks like this:                       (basic.tm)

<!–    HEADER      –>

{% include “includes/header.inc” %}

<!–    END_HEADER  –>

 

<body>

 

<!–        NAVBAR          –>

{% include “includes/nav.inc” %}

<!–        END_NAVBAR      –>

<!–        MAIN_CONTENT    –>

<div id=”main”>

{% block content %}{% endblock %}

</div>

 

<!–        MAIN_CONTENT    –>

</body>

</html>

 

{% block content %}{% endblock %} is how the Django template language references the information given in the extends file for the variable “content”. Subterfuge includes the primary content for any given page in this variable. The implication of this is that if you are attempting to build a specific page for an app and you find that Subterfuge’s built in toolkit is not robust enough you can modify the content provided by views.py, in order to, yield any result you desire. Further {% include “includes/nav.inc” %} is used to include an external file into the template. This allows us to build on the DRY principle.

In Django an extends file will use a constituent template page to render the full site. It is in the extends file that the information contained in the content variable can be found. An extends file tends to have the data specific to a page.

A sample Django extends file looks like this: (home.ext)

{% extends “basic.tm” %}

 

{% block content %}

 

<div id=”dialog” class=”windows”>

<font color = “white”>Initiating: </font>

<img src = “/static/images/loader.gif>

</div>

<div id=”mask”></div>

 

<div id = “creds”>

 

</div>

 

{% endblock %}

 

 

The first line tells the program to look for “basic.tm”. The next piece {% block content %} is used to assign the following code a variable name that the template then uses to reference it in this case that name is “content”.

When Django puts the full site together the page looks something like this:

(home.ext)

{% extends “profile.tm” %}

(profile.tm)

<!–    HEADER      –>

{% include “includes/header.inc” %}

 (header.inc)

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

<html xmlns=”http://www.w3.org/1999/xhtml”>

<head>

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />

<title>Whoodini</title>

<meta http-equiv=”Content-Language” content=”en” />

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />

 

Etc…

(profile.tm)

<!–    END_HEADER  –>

 

<body>

 

<!–        NAVBAR          –>

{% include “includes/nav.inc” %}

 

(nav.inc)

<div id = “navbar”>

Etc…

</div>

(profile.tm)

<!–        END_NAVBAR      –>

 

<!–        MAIN_CONTENT    –>

<div id=”main”>

{% block content %}{% endblock %}

</div>

 

 (home.ext)

{% block content %}

 

<div id=”dialog” class=”windows”>

<font color = “white”>Initiating: </font>

<img src = “/static/images/loader.gif>

</div>

<div id=”mask”></div>

 

<div id = “creds”>

 

</div>

 

{% endblock %}

 (profile.tm)

<!–      END_MAIN_CONTENT    –>

</body>

</html>

 

Leveraging the Django template format can be difficult to wrap ones head around immediately; however, for extended design it can be a significant enhancement to efficiency. Now let’s look at logic in the template language by opening up the credential harvester module:         (credtable.inc)

{% if credential %}

{% for cred in credential %}

<tr class = “{% cycle ‘credrowa’ credrowb’ %}”>

<td width = “271”>{{ cred.source }}</td>

<td width = “374”>{{ cred.username }}</td>

<td width = “361”>{{ cred.password }}</td>

<td width = “120”>{{ cred.date }}</td>

</tr>

{% endfor %}

{% endif %}

 

This is an if statement and a for loop in the Django. Because Django is python it borrows similar syntax for its template language. What is important to realize is that credential is a tuple variable that was given to the template by the main/views.py page. Essentially, that means that credential is the data and the logic above decides how to render it. Because database queries in Django return named lists, or dictionaries, it is possible to specify the required object by name. cred.source contains the information stored in the “source” field of the database query that was made in the views page. It then runs through the loop until all objects have been printed, and displays them in html for the user to see.

A views.py page looks something like this:           (main/views.py)

def index(request):

#Get Creds from Database

creds = credentials.objects.all()

 

#Relay Template Variables

return render_to_response(“includes/credtable.inc”, {

“credential”     :   creds

})

 

This retrieves the information to be put into the credential variable and sends it on to the template language where it can be displayed graphically.

 

The Database

Subterfuge uses a SQLite database due to the system’s portability. This database is further accessed with Django’s library. This makes accessing the database fairly simple if syntactically different then you may be familiar with. For queries not covered here you may wish to reference Django’s documentation[1].

Select Statement:

creds = credentials.objects.all()

Insert Statement:

logcred = credentials(username = username, password = password)                  logcred.save()

Update Statement:

setup.objects.update(value = newvalue)

 

That’s all it takes to do basic database operations in Subterfuge; however, in order to include database queries in a file outside of views.py you may need to import the following:

#Ignore Deprication Warnings  import warnings  warnings.filterwarnings(“ignore”, category=DeprecationWarning) from django.conf import settings

#Configure Database

settings.configure(DATABASE_ENGINE=”sqlite3″,

DATABASE_HOST=””,

DATABASE_NAME= os.path.dirname(__file__) + “/db”,

DATABASE_USER=””,

DATABASE_PASSWORD=””)

from django.db import models

#Import Tables

from main.models import *

 

 

 

 

 



[1] Django documentation: https://docs.djangoproject.com/en/dev/topics/templates/

Third-Party Tool Integration

Nothing exists in a vacuum. On that note we saw no real reason to pretend that Subterfuge did while we developed it. If a past solution to any given problem existed we were quick to adopt it. Since Subterfuge is written in Python, we gave preference to other Python programs, but that did not stop us from adapting existing tools to our purposes.

SSLStrip

Moxie Marlinspike released SSLStrip at Blackhat in 2009. It was built to demonstrate SSL’s inability to accurately protect individuals browsing sessions by perverting the protocol in its entirety.

SSLStrip is a useful tool due to its ability to hijack HTTP (Hypertext Transfer Protocol, or web) traffic on a network, watch for HTTPS (HTTP-Secure) links and activity, and then map those links into look-alike HTTP links[1].  SSLStrip also provides a feature to supply a favicon, which looks like a lock icon, giving the impression that the web connection is secure.  SSLStrip is used transparently (i.e., without the user’s knowledge) to convert an encrypted SSL session into a standard, plaintext web session that can then be easily monitored.  Stealing credentials and sessions becomes trivial at this point.  SSLStrip is a difficult piece of software for the average security researcher to set up quickly, let alone an average web user.  The configuration process requires the user to perform intricate changes to files on the host operating system in addition to setting up network routing rules with a separate program. Furthermore, it requires that the attacker already have a MITM position established.

 

It is at this confluence that the synergy Subterfuge provides can be seen, and felt. By automating SSLStrip, garnering a MITM position, and passing the results directly into its modules, Subterfuge provides a powerful framework for the Penetration Tester to leverage.

 

Moxie’s tool has the added benefit of being written in Python, which made integrating it into Subterfuge a figurative walk in the park, but what is truly distinct about Subterfuge’s integration with SSLStrip is its function. Because SSLStrip can modify traffic directed to it we were able to make modifications turning the program into an intercepting proxy. The strength of a Man-in-the-Middle attack is control. Upon gaining control of the network there is a seemingly endless array of possibilities.

The modified SSLStrip forms the backbone of Subterfuge’s tampering capabilities. Further integration with our database increases usability and speed, in addition to potential attack options.

Nmap

The quintessential port scanning utility is Nmap. Subterfuge can leverage Nmap to perform a baseline port scan with OS Detection. This can be seen in action by pressing the scan button in the Network View.

Subterfuge does not currently (as of version 4.2) support the import/export of Nmap scan results; however this is a feature we plan on adding to framework in the future.

Metasploit

Subterfuge now includes exploitation option through its integration with the Metasploit Framework. If you have Metasploit installed on your system alongside Subterfuge (and its binaries are in your $PATH) you may be able to transparently embed exploits into the sessions of victims.

The HTTP Code Injection Module demonstrates this capability. The code injection module is able to modify the website a victim views in real time. Because of Metasploit integration it can then inject browser_autopwn into a victims session, which can result in unauthorized remote access to their system.

Currently, Subterfuge does not support using more specific exploits within the Metasploit Framework; however this is a capability we intend to add in the future.

Armitage

We are currently working on Subterfuge integration with Raphael Mudge’s Armitage. Potential integration options could include remote deployment of Subterfuge as an attack payload.

Evilgrade

Evilgrade is a tool that allows a user to spoof an update server on the network. When a victim starts up a program such as iTunes it automatically looks to see if updates exist. Evilgrade steps into this process and sends the victim a malicious payload in place of the update. Evilgrade required the attacker to attain a MITM position before it could begin its attack, so we thought, why not Subterfuge? We intend to have an Evilgrade module included as part of the Framework by version 5.1.



[1] Marlinspike, M. (2011, August 30). Blackhat. Retrieved from http://blackhat.com/presentations/bh-europe-09/Marlinspike/blackhat-europe-2009-marlinspike-sslstrip-slides.pdf

Troubleshooting

The most pervasive problem with hacking tools is that they never quite work right for everyone. Between the plethora of different builds we operate, and the differing conditions of each attack breaking things is almost inevitable. Here’s what to do to fix it. (The FAQs are followed by work arounds for commonly encountered problems)

Frequently Asked Questions

  1. Is Subterfuge free for download?
  2. What Operating Systems is Subterfuge built for?
  3. What dependencies does Subterfuge require?
  4. Help! I’m having browser issues
  5. How can I report a new bug?
  6. I see lots of errors in the terminal window what am I doing wrong?
  7. How do I run Subterfuge as an externally navigable server?
  8. How do I uninstall Subterfuge?
  9. What kind of support is there
  10. How can I contact you?

 

Is Subterfuge free for download?

Screen Shot 2013-03-14 at 4.39.59 PM

What Operating Systems is Subterfuge built for?

Screen Shot 2013-03-14 at 4.40.13 PM

What dependencies does Subterfuge require?

Screen Shot 2013-03-14 at 4.40.23 PM

Help! I’m having browser issues 

Screen Shot 2013-03-14 at 4.40.34 PM

How can I report a new bug?

Screen Shot 2013-03-14 at 4.40.42 PM

 

I see lots of errors in the terminal window what am I doing wrong? 

Screen Shot 2013-03-14 at 4.40.54 PM

 

How do I run Subterfuge as an externally navigable server? 

Screen Shot 2013-03-14 at 4.41.05 PM

How do I uninstall Subterfuge?Screen Shot 2013-03-14 at 4.41.13 PM


 What kind of support is there?

Screen Shot 2013-03-14 at 4.41.24 PM

How can I contact you?

Screen Shot 2013-03-14 at 4.41.37 PM

Installation Procedures

Subterfuge is only supported on Kali Linux. Do NOT attempt to install on Windows or Mac OSX. Subterfuge is capable of running under other flavors of Linux, but if you encounter issues we will only offer support if you are using Kali Linux.

Installation Procedures – Kali Linux

To get started download the latest version of Subterfuge from our website: http://kinozoa.com/downloads

Procedures:

Open up a terminal window

Navigate to the directory where you downloaded Subterfuge

Install it:   dpkg -i subterfuge_1.0-1_all.deb

If dependency issue arrises:   apt-get update && apt-get -f install

Apt will automatically install all dependencies followed by Subterfuge itself.

Type: subterfuge

Open up a browser and navigate to: 127.0.0.1

Known Defects

This section exists to help you troubleshoot issues with the system that we are aware of; hopefully the key to solving your problem is here. If you cannot find a solution here try the Google Code issues page and contact us.

Error:

sh: route: command not found

Description:

Subterfuge uses the route command in order manipulate the network routing tables on the attacker’s machine. This command is part of net-tools, which may not be in the default install of all Linux distributions. For more information see: http://www.archlinux.org/news/deprecation-of-net-tools/

Solution:

Install net-tools:

On Debian Systems:
apt-get install net-tools
On Red Hat Systems:
yum install net-tools

Alternately, find net-tools online and install it.

 

Error:

Validating models...
0 errors found
Django version 1.3.1, using settings 'subterfuge.settings'
Development server is running at http://127.0.0.1:80/
Quit the server with CONTROL-C.

Error: That port is already in use.

Description:

Something else is using the port you are trying to run Subterfuge on. Do you have Apache running? Alternately, another instance of Subterfuge may not have close properly

Solution:

Try:     /etc/init.d/apache2 stop

Try:     killall python

Then: subterfuge

Alternately, you may have to grep for the process and kill it (distro dependent)

Modules

So your attack was successful. You’ve pwned the network, only now… What to do with it? In Subterfuge it is the modules that give us the ability to leverage our position quickly and easily. Moreover, if your needs are particularly specific, you can create a module for Subterfuge without the need to launch your own attack from scratch. Subterfuge comes packaged with several default modules that you can use to great effect.

Credential Harvester

The Credential Harvester is the original Subterfuge Module. When we built the program the whole premise was to develop a system that demonstrated the effectiveness of this genre of attack beyond a shadow of doubt. The Credential Harvester does that.

Subterfuge comes with a modified version of Moxie Marlinspike’s SSLStrip. It is used as an intercepting proxy to allow us to control network traffic in real time. The Credential Harvester uses SSLStrip to intercept post data, and it parses through the information in order to pull out authentication credentials in plain text. SSLStrip uses an HTTP downgrade attack, causing the post data to be transmitted in plain text. This means that even sites that encrypt their login fields, which protects against tools like Firesheep, are susceptible to harvesting.

Screen Shot 2013-03-14 at 4.25.43 PM

 Operating Procedures:

Navigate to the Credential Harvester View (seen above)

Click the Start button
If automatic configuration is enabled Subterfuge will ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

Session Hijacking

Session Hijacking is not a feature currently available in Subterfuge. It will; however, find its way into the framework by the release of Beta version 5.0.

The session hijacking plugin will allow a user to masquerade as a victim within the session that was hijacked. Due to the stateless nature of HTTP, and the need for web servers to remember certain information about each user accessing them, we can often authenticate into a web application without requiring a username or password.

A typical user experiences this when he navigates to a website, and finds that he is already logged in. Because he never transmitted authentication information to create a session with the webserver there is nothing for the credential harvester to intercept, which means that we won’t get anything.

Since that’s just uncool, we are expediently developing a Session Hijacking Module for the framework. In addition, we are building a feature into the Credential Harvester to force terminate a victim’s session, forcing them to authenticate into the web application again.

HTTP Code Injection

Subterfuge’s modification of SSLStrip allows the data intercepted to be tampered with before it reaches the victim’s browser. In essence this allows us to inject arbitrary code into a victim’s browser session.

Untitled9

This code can be anything from a JavaScript alert message to an exploit like ms10_aurora.

 

This module comes with two standard methods of operation. The first is called custom injection. It will append the text typed into a provided box to any website that a victim views. The second method uses Subterfuge’s integration of the Metasploit Framework in order to leverage an exploit against a victim’s browser. Metasploit injections can be rendered in three different manners, in a hidden iFrame, in a popup window, and as a window redirection.

 Operating Procedures:

Method 1: Custom Injection

Start Subterfuge

Pull up the HTTP Code Injection Menu by clicking on the module’s icon (From the Plugin page or Network View)

Select Custom Inject

Enter the data you would like injected

Click Apply

Method 2: Metasploit

Start Subterfuge

Pull up the HTTP Code Injection Menu by clicking on the module’s icon (From the Plugin page or Network View)

Select the injection vector from the drop down menu

Select an exploit from the drop down menu

Click Apply

 

If automatic configuration is enabled Subterfuge will ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

Denial of Service

Being the Man-in-the-Middle means that in order for the network to function you must route traffic properly. So what happens if we just… don’t? In that situation all of the victim’s on the network will no longer be able to access the Internet because their router, us, is dropping all of their packets. This produces a very powerful layer three DOS attack.

 Operating Procedures:

Start Subterfuge

Pull up the DOS Module by clicking on the module’s icon (From the Plugin page or Network View)

Click Apply
If automatic configuration is enabled Subterfuge with ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

 

Tunnel Block

We realized that one of the best methods to retain a certain level of security on a network is to use some form of encrypted tunneling, so we made it easy to subvert this. The tunnel block method prevents common protocols like SSH and VPNs like L2TP and OpenVPN from accessing the Internet, forcing a client to use unsecure methods of networking.

 Operating Procedures:

Start Subterfuge

Pull up the Tunnel Block Module by clicking on the module’s icon (From the Plugin page or Network View)

Click Apply
If automatic configuration is enabled Subterfuge with ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

Network View

Rather than guessing what the network looks like, open up the Network View and see it. The Network View offers a whole new way to experience a Man-in-the-Middle position. Each client that appears while using this module represents a victim on the network. Information is synchronized rapidly to give the attack an appropriately “live” feel.

While I was building this, I thought if someone were to take a screenshot of Subterfuge what would I want it to look like? There is nothing more unique to the framework then this module. It gives off a usability vibe akin to Armitage, which is exactly what we were going for in this tool. Moreover, it really is as easy to use as it appears. The Network View gives an attacker easy access to other modules as well as a simple interface from which to interact with third party tools like Metasploit and Nmap. Being as Subterfuge is fully integrated with Nmap; we can leverage the tool to update the Network View in order to give ourselves a more accurate interpretation of the suspect network with speed and efficiency.

netview copy

 Operating Procedures:

Pull up the Network View Module by clicking on the module’s icon (From the Plugin page)

Click Apply

Start Subterfuge

Wait for a victim to appear and interact with their sessions
If automatic configuration is enabled Subterfuge with ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

Evilgrade

Evilgrade is a tool that allows a user to spoof an update server on the network. When a victim starts up a program such as iTunes it automatically looks to see if updates exist. Evilgrade steps into this process and sends the victim a malicious payload in place of the update. Evilgrade required the attacker to attain a MITM position before it could begin its attack, so we thought, why not Subterfuge? We intend to have an Evilgrade module included as part of the Framework by version 5.0.

 

Future Modules

Wireless AP Attack Suite

The Wireless AP Suite will have a number of extremely useful features, which will increase the functionality of Subterfuge. A user will be able to setup a fake access point through which a victim will connect, successfully creating a MITM situation. An advanced option would even listen for what computers in the nearby area are probing for and setup an access point spoofing networks the victims have previously connected to. This will allow the victim computers to connect to and route their traffic through Subterfuge without any user input.

Subterfuge — The Attack

Note that on BackTrack scripts MUST be enabled in order for Subterfuge to run.

“He who is prudent and lies in wait for an enemy, who is not, will be victorious.” –-Sun Tzu

Right so on to the part everyone actually cares about… Running Subterfuge! This part of the documentation focuses on getting the framework up, running, and working for you. Let’s get started. Installation Procedures

Gaining a MITM Position

Now that we’ve got the framework install let’s attack. The first step in any Subterfuge attack is gaining a Man-in-the-Middle position. Currently, Subterfuge only ships with one method of establishing itself as MITM, ARP Cache Poisoning. Nevertheless, as a framework, its modular design allows it to support multiple methods.

Running Subterfuge:
To start Subterfuge, click the Start button in the top right corner. A popup window should present asking you if you would like Subterfuge to automatically configure the attack select OK. Now the attack should be running as seen above. Note that on BackTrack scripts MUST be enabled in order for Subterfuge to run.

ARP Cache Poisoning

What did we just do? If you already know or don’t really care move on to the next section, for those of you do care let’s take a moment to talk about the anatomy of the attack. I won’t get into the behind the scenes actions that Subterfuge takes in order to make this process so easy if you are interested in that information head over to Extending Subterfuge and the Appendices.

Let’s back up a moment and talk about the Address Resolution Protocol (ARP). ARP is about as simple as a protocol gets. Its purpose is to associate MAC (Hardware) addresses with IP addresses. This allows devices on the Local Area Network (LAN) to find each other. Excluding Reverse ARP, there are really only two kinds of things that an ARP can say:

  1. ARP Request             –  “Who has X IP Address”
  2. ARP Reply                 –  “X IP is at X MAC Address”

What happens if instead of giving the standard ARP Reply we say, “X IP is at Y MAC Address”? Everyone who hears the packet adheres to it. This really uncovers the fundamental problem with the protocol. There isn’t a shred of authentication. Below is a Wireshark capture of an awry ARP packet.

Untitled2

Because this packet was sent to the broadcast all of the machines on the LAN will see the packet and adjust their ARP Tables to match. This means that all traffic bound for 192.168.1.1 (the router’s IP address) will go instead to the box bearing the attacker’s MAC address. We’ve achieved Man-in-the-Middle.

Untitled3

A victim running Windows 7 displays their ARP Table

Dynamic Poison Retention & ARPBLock

One problem with a traditional ARP Cache Poison attack is that the router and victims will occasionally send out legitimate ARP requests and replies. This means that the attacker will experience a period of MITM loss immediately after this traffic. In order to minimize this, a typical attack will simply spam ARP across the network. Subterfuge uses ARPtables to attempt to block all ARP that it does not personally distribute. Furthermore, Subterfuge uses what we’ve taken to calling Dynamic Poison Retention in order to preempt legitimate ARP. This allows us to run a much more stable attack, and even increase stealth by relying on something other than a ticker to retain a poison.

Dynamic Poison Retention in action

Dynamic Poison Retention in action

Using Subterfuge Modules

So now you’ve got MITM, but what on God’s green earth do you do with it? Let’s cursorily check out Subterfuge’s Modules.

The Subterfuge Module View

The Subterfuge Module View

Subterfuge ships with many modules. After acquiring a man in the middle position we have a strongpoint from which to pillage the network. Subterfuge makes leveraging this position as simple as a few clicks. Check out the modules section for more on this.

Settings and Configuration Options

One of the most unique aspects of Subterfuge in the realm of network attack tools is the ease with you can customize virtually anything about your attack. The settings page makes configuring and optimizing an attack simple.

Configuring Subterfuge is Simple

Configuring Subterfuge is Simple

Attacking from the Network View

Through the Network View Subterfuge opens up a whole new way to visualize, and interact with a MITM position. Every box that shows up in this view represents an actively poisoned victim. Subterfuge synchronizes individual portions of the page with the server to make the attack look and feel real-time. The Network View also makes it easy to control the spectrum of your attack, and interact with modules directly, all from one place.

Subterfuge’s Network View Demonstrates an all New Way to interact with a MITM Position

Subterfuge’s Network View Demonstrates an all New Way to interact with a MITM Position

That’s all there is to starting up a basic MITM attack with Subterfuge. The next chapter focuses more on how to leverage your attack position with the frameworks modules.

Documentation Introduction

Subterfuge5Wallpaper

Subterfuge5Wallpaper

Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network and even exploiting machines by injecting malicious code directly into their browsing sessions.

How to use this Document

Reading through this entire document may be tedious, and will certainly deluge you in information you may not have any desire in knowing. To aid in your perusal below is a short summary of each section, so that you know where to go in order to get the information that you came for:

Introduction

This section is for those of you who are interested in where the Subterfuge Project came from, why it exists, and what we hope to accomplish. The introduction focuses on the risks of MITM attacks, the programmatic structure of Subterfuge, and the community buoying it up.

                     The Attack

                     The next portion of the documentation gets right into running Subterfuge.  It starts with the most basic usage, and moves on to basic module usage as well as settings and configuration options.

                     Modules

                     Extending the attack through Plugins and Modules. This section takes an in depth look at how Subterfuge can really work for you. 

                     Troubleshooting

                     The most pervasive problem with hacking tools is that they never quite work right for everyone. Between the plethora of different builds we operate, and the differing conditions of each attack breaking things is almost inevitable. Here’s what to do to fix it.

                     Third-Party Tool Integration

                     Subterfuge doesn’t exist in a vacuum, and we didn’t design it that way. Here we discuss the external tools that the project leverages, and how they interact with the framework to make the penetration testing experience more fluid and dynamic.

                     Extending Subterfuge

                     Making Subterfuge work for you is easy. This portion of the documentation talks about just how to get deeper functionality out of the system.

                     Contributing to the Project

                     Community Support for the project has been great so far. If you would like to contribute in some manner then this section might merit your perusal.

                     Appendices

                     Other stuff. See for yourself.

About Subterfuge

A rapidly expanding portion of today’s Internet strives to increase personal efficiency by turning tedious or complex processes into a framework, which provides instantaneous results.  On the contrary, much of the information security community still finds itself performing manual, complicated tasks to administer and protect their computer networks. Subterfuge is a simple but devastatingly effective Man-in-the-Middle (MITM) Attack Framework, which exploits vulnerabilities in the inherently trusting Address Resolution Protocol.  It does this in such a way that even a non-technical user would have the ability, at the push of a button, to attack all machines connected to the local area network (LAN). Subterfuge further provides the framework by which users can then leverage a MITM attack to do anything from browser/service exploitation to credential harvesting, thus equipping information and network security professionals and enthusiasts alike with a sleek “push-button” security validation tool.

User-friendly network attack tools are quick to make national headlines due to the threat they pose and because, “in truth, the tools and techniques employed by hackers are extremely complex[1].”  Firesheep, a Firefox web browser plugin, is just such a tool.  It was designed to capture cookies created during the login process for secure web sites, and it does this at the push of a button.  Firesheep’s push-button simplicity and overwhelming effectiveness led to its ubiquitous use by skilled professionals and non-skilled users alike, thus focusing attention on a fixable yet often-ignored error in web site implementation. What makes tools with this level of simplicity interesting is that, while any skilled hacker should be able to script something equivalent with little effort, he no longer has to, and can now focus on more delicate attacks.

The Subterfuge Project attempts to use the paradigm popularized by Firesheep, Armitage, and other user-friendly network attack tools to create a framework for Man-In-The-Middle (MITM) attacks.  A MITM attack uses eavesdropping to insert a malicious entity into the communication path between legitimate users on a network[2].  This entity can then masquerade as either of the legitimate users in order to capture sensitive information, like login credentials for a protected web site.  Typically, a MITM attack requires a significant amount of complex, text-based configuration of numerous software programs.  This complexity, combined with the virtually never-ending reports of stolen identities and online credential theft, makes the MITM attack a prime candidate for the creation of a user-friendly, simplified framework.

We designed the framework to have a simple interface with minimal configuration requirements in order to appeal to skilled and non-skilled network security professionals and users alike.  Subterfuge has a sleek web based interface to allow a user to deploy the software quickly and easily without editing sophisticated text-based configuration files.  Subterfuge automates the configuration process or, alternately, streamlines it with a Graphical User Interface (GUI). It also allows the user to view a report of all the different credentials that were harvested. The ease with which the general populace would be able to use Subterfuge will demonstrate to information security professionals the dangers of MITM attacks on a large scale.

Subterfuge is developed with the Python programming language and uses a SQLite database. JavaScript handles significant frontend logic.

Man-in-the-Middle Threat Analysis

So what is the big deal? Well a study from Cornell University’s Center for Hospitality Research stated that over 90% of hotels provide wireless Internet access to their customers, and the vast majority of these access points are susceptible to ARP Poisoning Attacks[3].

There are two significant types of MITM attacks: Passive and Active.  In a Passive attack, a hacker can observe what his victim is viewing, which allows the attacker to steal credentials and session cookies.  In an Active attack, “the target is entirely controlled by the attacker, rather than being limited by the extent of the victim’s browsing activity[4]”.

Several major websites, such as Google and Facebook, have recently realized a significant blunder on their part in terms of browsing security for their users.  Facebook used to encrypt solely the login traffic, which contained the username and password of the individual.  Afterwards, the session returned to a regular, plain text browsing session, which could be intercepted and easily read by anyone who might be performing a MITM attack.  In a paper on the security issues, which are challenging Facebook, the need to “educate Facebook users about using secure socket layer (SSL) applications” is discussed as a prerequisite to protecting their users from identity theft[5].

In addition to web site design and implementation errors, the network Address Resolution Protocol (ARP) itself has residual vulnerabilities that are commonly exploited during a MITM attack.  The extent to which computers on a local network rely on, and inherently trust the responses of, ARP messages is alarming.  If ARP message processing remains uncontrolled, ARP sniffing and poisoning can occur, which means that an attacker can begin the process of masquerading as a legitimate user[6].  Current steps that the security community has made to secure ARP are woefully inadequate.  Heightened awareness of the threat implicated by MITM attacks should become more commonplace amongst both computer users and security professionals.

Man-in-the-Middle Attacks are a category of vulnerability against which most applicable systems are susceptible. They are and will remain this way because of their obscurity. Until MITM attacks are simplistic enough that even aspiring security professionals can easily leverage them against networks, manufacturers will continue to develop and distribute vulnerable equipment. With Subterfuge, it is possible to make knowledge of these vulnerabilities mainstream, beyond even the security community. Subterfuge can be the motivation that manufactures like Cisco need to build the protections that they have provided to their enterprise customers for years into the systems they sell the average consumer.

The overall goal was to develop a tool that is sufficiently effective and easy to use in order to encourage the security community to focus on the massive vulnerability inherent in the Address Resolution Protocol.  To achieve this result, we created a framework called Subterfuge, which allows even an average user to exploit the vulnerabilities in ARP on a local network.

The most basic implementation of Subterfuge collects information and user authentication credentials across an entire local area network and organizes the collected data into a SQLite Database.  It does this by automating an ARP Cache Poisoning Attack while leveraging SSLStrip, which is publicly available.

Subterfuge automatically manages its configuration, yet allows more advanced users the ability to delve deeper into the MITM settings.  This requires Subterfuge to detect the hardware and network configurations needed to initiate the attack.  Additionally, Subterfuge is able to properly configure, setup, and deploy SSLStrip with little or no input required from the user. The tedious and difficult problem of properly configuring and executing these multiple pieces of software in unison is eased by the automation developed and included in the Subterfuge Project.

This tool is deemed successful if a user is able to execute Subterfuge to collect user information and credentials on the network to which they are connected.  Specifically, a Subterfuge user ought to be able to steal user credentials, without the victim’s knowledge, even when a “secure” protocol such as HTTPS is perceived.

About the Creators

Subterfuge was created by Christopher Shields (r00t0v3rr1d3) & Matthew Toussain (0sm0s1z).

Program Composition

In the field of Man-in-the-Middle tools Subterfuge has a unique structure, which opens the door to a wide array of additional features and options.

Server/Client Architecture

Subterfuge uses server/client architecture. When you run Subterfuge you are actually starting up a server that is then accessed by the client, a web browser. This is important because it is the fundamental basis for collaboration within the system. Multiple devices can access a Subterfuge server simultaneously; because statuses are monitored real time interaction between penetration testing parties is possible.

Furthermore, this architecture gives us the ability to turn Subterfuge into a payload to MITM a remote network. (In development for a future release)

Web Frontend

The web frontend comprises the Graphical User Interface that you interact with. Because HTTP is a stateless protocol significant JavaScript logic was implemented in order to give the framework a live look and feel.

Database

Subterfuge uses a SQLite Database. We chose SQLite 3 because it is exceedingly lightweight and easy to port. It meant that the framework could ship with a preconfigured database of its own rather then have to configure it as part of the installation process. The database includes sections for modules, settings, and third-party programs. (See Extending Subterfuge for more information)

OS Compatibility

As of Version 4.1 Subterfuge is compatible with the Linux Operating System only. Future cross-platform compatibility is in the works. The next step will involve releasing an OSX version, followed by Windows XP & Windows 7. The OSX version should be BSD compatible.

Currently, significant issues exist when attempting to port Subterfuge into the Windows environment. As such this step in the port may not occur for some time.

The Framework

Naturally, Man-in-the-Middle Attacks are not limited to mere credential fraud. Neither is Subterfuge. Basic usage of the tool will be to ARP Poison the LAN; however, from this perspective it is possible to initiate many attacks. The Framework will automatically gather credentials, but it can also do more. Subterfuge’s Plugin System allows for the usage of additional MITM functionality without the need to develop another security tool from scratch.

Community Support

When development of the Subterfuge Project began we created a Google Code site in order to help us with project management and collaboration. What we did not expect was for the community to stumble upon it, and begin hyping it. What we certainly did not anticipate was those of you out there who actually contributed code to the project to help us alleviate bugs.

Then someone must have told Backbox Linux about our tool, because they approached us to get Subterfuge added into their repositories. Finally, after our beta release at DEFCON BackTrack Linux adopted the tool, and it was included in version 5 release 3.

So far the community has been very accepting of our errors and pages upon pages of bug notes. We intend to keep extending the framework and building new features into it so thank you in advanced for bearing with us through several more reams of release notes jam-packed with bugs and fixes.

From the moment the community found it you all have been tweeting, writing articles, giving suggestions, and even contributing code to the project. Thanks for the support!

 


[1] Barber, R. (2011, August 30). Security Science. Retrieved from Computer Fraud & Security Volume 2001, Issue 3.

[2] Kurose, J. and Ross, K. Computer Networking: A Top-Down Approach. 5th Edition. Addison-Wesley. Page 61

[3] Ogle, J. and Wagner, E. (2012, March 8). Hotel Network Security: A Study of Computer Networks in U.S. Hotels. Retrieved from http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html

[4] Saltzman, R. (2011, August 30). Security Science. Retrieved from OWASP: http://www.security-science.com/pdf/active-man-in-the-middle.pdf

[5] Leitch, S. (2009). Security Issues Challenging Facebook. Retrieved from Edith Cowan University Research Online: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1017&context=ism&sei-redir=1#search=%22facebook%20secure%22

[6] Wagner, R. (2011, August 30). Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks. Retrieved from http://savannah.gatech.edu/people/lthames/dataStore/WormDocs/arppoison.pdf