Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network and even exploiting machines by injecting malicious code directly into their browsing sessions.
How to use this Document
Reading through this entire document may be tedious, and will certainly deluge you in information you may not have any desire in knowing. To aid in your perusal below is a short summary of each section, so that you know where to go in order to get the information that you came for:
This section is for those of you who are interested in where the Subterfuge Project came from, why it exists, and what we hope to accomplish. The introduction focuses on the risks of MITM attacks, the programmatic structure of Subterfuge, and the community buoying it up.
The next portion of the documentation gets right into running Subterfuge. It starts with the most basic usage, and moves on to basic module usage as well as settings and configuration options.
Extending the attack through Plugins and Modules. This section takes an in depth look at how Subterfuge can really work for you.
The most pervasive problem with hacking tools is that they never quite work right for everyone. Between the plethora of different builds we operate, and the differing conditions of each attack breaking things is almost inevitable. Here’s what to do to fix it.
Third-Party Tool Integration
Subterfuge doesn’t exist in a vacuum, and we didn’t design it that way. Here we discuss the external tools that the project leverages, and how they interact with the framework to make the penetration testing experience more fluid and dynamic.
Making Subterfuge work for you is easy. This portion of the documentation talks about just how to get deeper functionality out of the system.
Contributing to the Project
Community Support for the project has been great so far. If you would like to contribute in some manner then this section might merit your perusal.
Other stuff. See for yourself.
A rapidly expanding portion of today’s Internet strives to increase personal efficiency by turning tedious or complex processes into a framework, which provides instantaneous results. On the contrary, much of the information security community still finds itself performing manual, complicated tasks to administer and protect their computer networks. Subterfuge is a simple but devastatingly effective Man-in-the-Middle (MITM) Attack Framework, which exploits vulnerabilities in the inherently trusting Address Resolution Protocol. It does this in such a way that even a non-technical user would have the ability, at the push of a button, to attack all machines connected to the local area network (LAN). Subterfuge further provides the framework by which users can then leverage a MITM attack to do anything from browser/service exploitation to credential harvesting, thus equipping information and network security professionals and enthusiasts alike with a sleek “push-button” security validation tool.
User-friendly network attack tools are quick to make national headlines due to the threat they pose and because, “in truth, the tools and techniques employed by hackers are extremely complex.” Firesheep, a Firefox web browser plugin, is just such a tool. It was designed to capture cookies created during the login process for secure web sites, and it does this at the push of a button. Firesheep’s push-button simplicity and overwhelming effectiveness led to its ubiquitous use by skilled professionals and non-skilled users alike, thus focusing attention on a fixable yet often-ignored error in web site implementation. What makes tools with this level of simplicity interesting is that, while any skilled hacker should be able to script something equivalent with little effort, he no longer has to, and can now focus on more delicate attacks.
The Subterfuge Project attempts to use the paradigm popularized by Firesheep, Armitage, and other user-friendly network attack tools to create a framework for Man-In-The-Middle (MITM) attacks. A MITM attack uses eavesdropping to insert a malicious entity into the communication path between legitimate users on a network. This entity can then masquerade as either of the legitimate users in order to capture sensitive information, like login credentials for a protected web site. Typically, a MITM attack requires a significant amount of complex, text-based configuration of numerous software programs. This complexity, combined with the virtually never-ending reports of stolen identities and online credential theft, makes the MITM attack a prime candidate for the creation of a user-friendly, simplified framework.
We designed the framework to have a simple interface with minimal configuration requirements in order to appeal to skilled and non-skilled network security professionals and users alike. Subterfuge has a sleek web based interface to allow a user to deploy the software quickly and easily without editing sophisticated text-based configuration files. Subterfuge automates the configuration process or, alternately, streamlines it with a Graphical User Interface (GUI). It also allows the user to view a report of all the different credentials that were harvested. The ease with which the general populace would be able to use Subterfuge will demonstrate to information security professionals the dangers of MITM attacks on a large scale.
Man-in-the-Middle Threat Analysis
So what is the big deal? Well a study from Cornell University’s Center for Hospitality Research stated that over 90% of hotels provide wireless Internet access to their customers, and the vast majority of these access points are susceptible to ARP Poisoning Attacks.
There are two significant types of MITM attacks: Passive and Active. In a Passive attack, a hacker can observe what his victim is viewing, which allows the attacker to steal credentials and session cookies. In an Active attack, “the target is entirely controlled by the attacker, rather than being limited by the extent of the victim’s browsing activity”.
Several major websites, such as Google and Facebook, have recently realized a significant blunder on their part in terms of browsing security for their users. Facebook used to encrypt solely the login traffic, which contained the username and password of the individual. Afterwards, the session returned to a regular, plain text browsing session, which could be intercepted and easily read by anyone who might be performing a MITM attack. In a paper on the security issues, which are challenging Facebook, the need to “educate Facebook users about using secure socket layer (SSL) applications” is discussed as a prerequisite to protecting their users from identity theft.
In addition to web site design and implementation errors, the network Address Resolution Protocol (ARP) itself has residual vulnerabilities that are commonly exploited during a MITM attack. The extent to which computers on a local network rely on, and inherently trust the responses of, ARP messages is alarming. If ARP message processing remains uncontrolled, ARP sniffing and poisoning can occur, which means that an attacker can begin the process of masquerading as a legitimate user. Current steps that the security community has made to secure ARP are woefully inadequate. Heightened awareness of the threat implicated by MITM attacks should become more commonplace amongst both computer users and security professionals.
Man-in-the-Middle Attacks are a category of vulnerability against which most applicable systems are susceptible. They are and will remain this way because of their obscurity. Until MITM attacks are simplistic enough that even aspiring security professionals can easily leverage them against networks, manufacturers will continue to develop and distribute vulnerable equipment. With Subterfuge, it is possible to make knowledge of these vulnerabilities mainstream, beyond even the security community. Subterfuge can be the motivation that manufactures like Cisco need to build the protections that they have provided to their enterprise customers for years into the systems they sell the average consumer.
The overall goal was to develop a tool that is sufficiently effective and easy to use in order to encourage the security community to focus on the massive vulnerability inherent in the Address Resolution Protocol. To achieve this result, we created a framework called Subterfuge, which allows even an average user to exploit the vulnerabilities in ARP on a local network.
The most basic implementation of Subterfuge collects information and user authentication credentials across an entire local area network and organizes the collected data into a SQLite Database. It does this by automating an ARP Cache Poisoning Attack while leveraging SSLStrip, which is publicly available.
Subterfuge automatically manages its configuration, yet allows more advanced users the ability to delve deeper into the MITM settings. This requires Subterfuge to detect the hardware and network configurations needed to initiate the attack. Additionally, Subterfuge is able to properly configure, setup, and deploy SSLStrip with little or no input required from the user. The tedious and difficult problem of properly configuring and executing these multiple pieces of software in unison is eased by the automation developed and included in the Subterfuge Project.
This tool is deemed successful if a user is able to execute Subterfuge to collect user information and credentials on the network to which they are connected. Specifically, a Subterfuge user ought to be able to steal user credentials, without the victim’s knowledge, even when a “secure” protocol such as HTTPS is perceived.
About the Creators
Subterfuge was created by Christopher Shields (r00t0v3rr1d3) & Matthew Toussain (0sm0s1z).
In the field of Man-in-the-Middle tools Subterfuge has a unique structure, which opens the door to a wide array of additional features and options.
Subterfuge uses server/client architecture. When you run Subterfuge you are actually starting up a server that is then accessed by the client, a web browser. This is important because it is the fundamental basis for collaboration within the system. Multiple devices can access a Subterfuge server simultaneously; because statuses are monitored real time interaction between penetration testing parties is possible.
Furthermore, this architecture gives us the ability to turn Subterfuge into a payload to MITM a remote network. (In development for a future release)
Subterfuge uses a SQLite Database. We chose SQLite 3 because it is exceedingly lightweight and easy to port. It meant that the framework could ship with a preconfigured database of its own rather then have to configure it as part of the installation process. The database includes sections for modules, settings, and third-party programs. (See Extending Subterfuge for more information)
As of Version 4.1 Subterfuge is compatible with the Linux Operating System only. Future cross-platform compatibility is in the works. The next step will involve releasing an OSX version, followed by Windows XP & Windows 7. The OSX version should be BSD compatible.
Currently, significant issues exist when attempting to port Subterfuge into the Windows environment. As such this step in the port may not occur for some time.
Naturally, Man-in-the-Middle Attacks are not limited to mere credential fraud. Neither is Subterfuge. Basic usage of the tool will be to ARP Poison the LAN; however, from this perspective it is possible to initiate many attacks. The Framework will automatically gather credentials, but it can also do more. Subterfuge’s Plugin System allows for the usage of additional MITM functionality without the need to develop another security tool from scratch.
When development of the Subterfuge Project began we created a Google Code site in order to help us with project management and collaboration. What we did not expect was for the community to stumble upon it, and begin hyping it. What we certainly did not anticipate was those of you out there who actually contributed code to the project to help us alleviate bugs.
Then someone must have told Backbox Linux about our tool, because they approached us to get Subterfuge added into their repositories. Finally, after our beta release at DEFCON BackTrack Linux adopted the tool, and it was included in version 5 release 3.
So far the community has been very accepting of our errors and pages upon pages of bug notes. We intend to keep extending the framework and building new features into it so thank you in advanced for bearing with us through several more reams of release notes jam-packed with bugs and fixes.
From the moment the community found it you all have been tweeting, writing articles, giving suggestions, and even contributing code to the project. Thanks for the support!
 Barber, R. (2011, August 30). Security Science. Retrieved from Computer Fraud & Security Volume 2001, Issue 3.
 Kurose, J. and Ross, K. Computer Networking: A Top-Down Approach. 5th Edition. Addison-Wesley. Page 61
 Ogle, J. and Wagner, E. (2012, March 8). Hotel Network Security: A Study of Computer Networks in U.S. Hotels. Retrieved from http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html
 Saltzman, R. (2011, August 30). Security Science. Retrieved from OWASP: http://www.security-science.com/pdf/active-man-in-the-middle.pdf
 Leitch, S. (2009). Security Issues Challenging Facebook. Retrieved from Edith Cowan University Research Online: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1017&context=ism&sei-redir=1#search=%22facebook%20secure%22
 Wagner, R. (2011, August 30). Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks. Retrieved from http://savannah.gatech.edu/people/lthames/dataStore/WormDocs/arppoison.pdf