Category Archives: Subterfuge Documentation

ARP Cache Poisoning

This page is currently under construction. The first draft is available, but more content must still be added be for the documentation is conclusive.  I apologize for the inconvenience.

Happy Hacking!

Click here to jump to ARP Poisoning with Subterfuge


ARP Cache Poisoning or ARP Spoofing is a network based attack that has been around for a long time; however, very little has been done address the vulnerability. The issue lies with the lack of authentication or even verification in the Address Resolution Protocol.  Though this attack is old it is still very effective, and if you think that it will be going away with IPv4 guess again. While the protocol has been removed in the IPv6 specification, the vulnerability still remains in a method call Neighbor Discovery Protocol, which is basically a very fancy rebranded ARP that solves problems in ARP’s network usage, but does nothing to fix the security issues.

Anatomy of the Attack

To understand ARP we first need to dive down into the network layers associated with it. Traffic traveling around your home network gets from one machine to another via layer 2 of the OSI model. More specifically, in a typical Local Area Network packets are switched not routed (as frames). This means that all that fancy TCP/IP overhead associated with the WAN is predominately a mute point. This makes our LANs much faster, but it also opens up these networks to additional strata of vulnerabilities. The Internet as we all know, uses IP addresses to get packets from one machine to another, but your LAN uses MAC address. In order to translate between the two standards, we have ARP.

So let us assume for a moment that your computer has an IP address it needs to send packets to: 192.168.1.1 and it is directly connected to the subnet 192.168.1.0/24 (this is the case with most home networks). Since it is connected to the same network as the target machine it must send the information as Ethernet frames, which means it needs the target’s MAC address not its IP. In order to get the MAC, it broadcasts to everyone on the network: ff:ff:ff:ff:ff (broadcast MAC address), and asks “Who has 192.168.1.1”. The response is supposed to be the MAC address of our destination.

Wireshark-ARP-Poison

In an ARP Spoofing attack all we have to do is respond to these requests with a different answer, namely, our MAC address. Now all traffic that you thought was going to 192.168.1.1 is actually going to the attacker instead. Furthermore, your computer remembers the last ARP response it gets, so if I spam these responses nonstop your computer will all ways use me as its target allowing me to sniff all the data you send to that host. If I poison your router, I can get all of your Internet traffic!


Subterfuge’s ARP Cache Poison

If you don’t care how Subterfuge does what it does, and you just want to know how to use it click here!

When we created Subterfuge (a framework to launch man-in-the-middle attacks) the first attack we gave it involved ARP Spoofing. We really wanted to stomp on the protocol, hard. Rather then just get the attack to work and release the product we spent a lot of time testing it against differing configurations and network devices. By its nature an ARP Cache Poison is a very unstable attack, and implementing it improperly can easily cause a denial of service against the target network. Naturally, this is not at all desired. Our research was focused on several key areas: Maintaining the Poison, Maximizing Stealth, and Network Stability.

Maintaining your Poison Versus Stealth & Stability

First we need to discuss the problem: losing a poison. How does it happen? On a typical network the router will occasionally send out a broadcast ARP packet letting anyone on the network know: “I’m still out there, and in case you were wondering here is my MAC Address”. That’s bad! Every time this happens we lose our poison against the network. When it comes to maintaining an ARP Poison most effectively there is one key: spam.  Because a client PC’s ARP table is always updated to reflect the most recent information it receives from the network, the best way to retain MITM is to send out as many poison packets as possible, but there’s a problem here. The primary reason ARP no longer exists in IPv6 is not security it’s overhead. Larger networks already tend to have so much ARP traffic that they experience a performance hit. Spamming packets as fast as your NIC can handle is definitely not the optimum solution from a network stability standpoint. Our research indicated that most routers tend to re-ARP a network anywhere between every 8-16 seconds.  To combat this Subterfuge by default poisons the network on an 8 second interval, but finer control is available through the settings page.

Unfortunately, this means that if you lose the poison you could be out of luck for up to 8 seconds. To combat this Subterfuge employs Dynamic ARP Retention, the concept here is that by listening on the wire for ARP messages from router you can hear the natural responses and spoof poison packets to match them. In practice this can cause an ARP storm on some networks and result in a denial of service condition. By default this setting is disabled; however, when enabled it can significantly bolster the stability of your attack. Lastly, you can adjust the rate of poison packets attacking the network manually from the settings page.

Poisoning with Subterfuge

Video coming soon!

Subterfuge Documentation


Subterfuge5Wallpaper

Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network and even exploiting machines by injecting malicious code directly into their browsing sessions.

How to use this Document

Reading through this entire document may be tedious, and will certainly deluge you in information you may not have any desire in knowing. To aid in your perusal below is a short summary of each section, so that you know where to go in order to get the information that you came for:

Introduction

This section is for those of you who are interested in where the Subterfuge Project came from, why it exists, and what we hope to accomplish. The introduction focuses on the risks of MITM attacks, the programmatic structure of Subterfuge, and the community buoying it up.

                     The Attack

                     The next portion of the documentation gets right into running Subterfuge.  It starts with the most basic usage, and moves on to basic module usage as well as settings and configuration options. 

                     Modules

                     Extending the attack through Plugins and Modules. This section takes an in depth look at how Subterfuge can really work for you. 

                     Troubleshooting

                     The most pervasive problem with hacking tools is that they never quite work right for everyone. Between the plethora of different builds we operate, and the differing conditions of each attack breaking things is almost inevitable. Here’s what to do to fix it.

                     Third-Party Tool Integration

                     Subterfuge doesn’t exist in a vacuum, and we didn’t design it that way. Here we discuss the external tools that the project leverages, and how they interact with the framework to make the penetration testing experience more fluid and dynamic.

                     Extending Subterfuge

                     Making Subterfuge work for you is easy. This portion of the documentation talks about just how to get deeper functionality out of the system. 

                     Contributing to the Project

                     Community Support for the project has been great so far. If you would like to contribute in some manner then this section might merit your perusal. 

                     Appendices

                     Other stuff. See for yourself.

Appendices

Appendix A: Subterfuge Functions

Setting your SYS Path

In order to access the resources in Subterfuge’s main directory

import sys

sys.path.append(‘/usr/share/subterfuge/’)

sys.path.append(‘/usr/share/subterfuge/utilities’)

This adds the main Subterfuge directory as well as the primary utilities directory into your program’s path. From there you can simply call built in functions and utilities without having to specify an absolute location every time.

How to Get Global Variables

Getting the global attack variables in Subterfuge is simple. Just add the following line to the header of your code:

from subutils import globalvars

The next step is to call the function and assign the output:

globalvar = globalvars()

The function: globalvars() returns a dictionary of all of the attack variables accessed from the database. Accessing a specific entry in the dictionary is simple:

print globalvar[‘gateway’]

The above code will print the LANs default gateway as noted by Subterfuge. You can use this same method to access other global attack information including the following tuples (located in the main_setup table):

Tuple

Description

ip

The IP Address of the Subterfuge Machine

iface

The interface used in the attack

gateway

The original default gateway of the LAN

autoconf

A Boolean value that determines whether auto-configuration is active

ploadrate

The interval over which Subterfuge refreshes attack information

injectrate

The interval Subterfuge waits between code injection

arprate

The interval Subterfuge waits between sending arp packets

smartarp

A Boolean value that determines whether Dynamic Poison Retention is active

routermac

The MAC Address of the LANs router

autoupdate

A Boolean value that determines whether Subterfuge checks for updates automatically on startup.

 

Adding Additional Logic to Third Party Modules

The Subterfuge Module Builder automates the standard configuration of a module for you, but often you need to have just a bit more control. What follows is a short primer on how to do just that.

The file that handles Subterfuge’s modules is: modules/views.py. The default code generated by Subterfuge looks like this:

#################################

#TUNNEL BLOCK MODULE

#################################

def tunnelblock():

os.system(‘python’+ str(os.path.dirname(os.path.abspath(__file__))) + ‘/TunnelBlock/TunnelBlock.py’)

 

You can modify or add any code here to produce the result that you want. For instance, in the HTTP Code Injection Module we needed a bit more control, and features. What we ended up with is this:

#################################

#HTTP CODE INJECTION MOD

#################################

def httpcodeinjection(request, conf):

#HTTP CODE INJECTION MODULE CONFIGURATION

#Status

status = request.POST[“status”]

#Vector

if request.POST[“vector”]:

exploit = request.POST[“vector”] + “\n”

method = “metasploit”

#Payload

if request.POST[“payload”]:

payload = request.POST[“payload”] + “\n”

if request.POST[“custominject”]:

exploit = “”

payload = “”

method = “custom”

#Write Custom Inject into File

with open(str(os.path.dirname(__file__)) + ‘/httpcodeinjection/inject.x’, ‘w’) as file:

file.writelines(request.POST[“custominject”])

installed.objects.filter(name = “httpcodeinjection”).update(active = status)

os.system(‘xterm -e sh -c “python ‘ + str(os.path.dirname(os.path.abspath(__file__))) + ‘/httpcodeinjection/httpcodeinjection.py ‘ + method + ‘ ‘ + payload + ‘” &’)

 

Note: Module code is typically stored under the following naming scheme:
          modules/<modulename>/<modulename>.py

 

Using the Subterfuge Notification System

Subterfuge is capable of sending alerts and notifications to users. The file that handles this interaction is: utilities/notification.py. Notifications serve a dual purpose of providing error logging and troubleshooting guidance. To add your own notifications run the program with the following syntax:

os.system(“python notification.py ‘title’ ‘message’”)

Appendix B: Subterfuge Database

Basics on the Subterfuge Database

Subterfuge uses a SQLite database due to the system’s portability. This database is further accessed with Django’s library. This makes accessing the database fairly simple if syntactically different then you may be familiar with. For queries not covered here you may wish to reference Django’s documentation[1].

Select Statement:

creds = credentials.objects.all()

Insert Statement:

logcred = credentials(username = username, password = password)                  logcred.save()

Update Statement:

setup.objects.update(value = newvalue)

 

That’s all it takes to do basic database operations in Subterfuge; however, in order to include database queries in a file outside of views.py you may need to import the following:

#Ignore Deprication Warnings  import warnings  warnings.filterwarnings(“ignore”, category=DeprecationWarning) from django.conf import settings

#Configure Database

settings.configure(DATABASE_ENGINE=”sqlite3″,

DATABASE_HOST=””,

DATABASE_NAME= os.path.dirname(__file__) + “/db”,

DATABASE_USER=””,

DATABASE_PASSWORD=””)

from django.db import models

#Import Tables

from main.models import *

 

Using the Subterfuge Database in your Modules

To access Subterfuge’s Database from your modules you must first import several dependencies.

 

 

 

 

References:

 

Special Thanks to:

Maj David Merritt

Lt Christopher Shields ~ r00t0v3rr1d3

n37tdiv3r5

 

References for Frontend Development =

Django Template Language:

https://docs.djangoproject.com/en/dev/topics/templates/

Python Programming Language:

http://docs.python.org/

 

SANS WPAD Hijacking:

http://it-audit.sans.org/blog/2011/10/03/browser-security-man-in-the-middle-with-wpad

 

[1] Barber, R. (2011, August 30). Security Science. Retrieved from Computer Fraud & Security Volume 2001, Issue 3.

[2] Kurose, J. and Ross, K. Computer Networking: A Top-Down Approach. 5th Edition. Addison-Wesley. Page 61

[3] Saltzman, R. (2011, August 30). Security Science. Retrieved from OWASP: http://www.security-science.com/pdf/active-man-in-the-middle.pdf

[4] Leitch, S. (2009). Security Issues Challenging Facebook. Retrieved from Edith Cowan University Research Online: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1017&context=ism&sei-redir=1#search=%22facebook%20secure%22

[5] Wagner, R. (2011, August 30). Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks. Retrieved from http://savannah.gatech.edu/people/lthames/dataStore/WormDocs/arppoison.pdf

[6] Norton, D. (2011). An Ettercap Primer. SANS Institute, 1-27.

[7] Marlinspike, M. (2011, August 30). Blackhat. Retrieved from http://blackhat.com/presentations/bh-europe-09/Marlinspike/blackhat-europe-2009-marlinspike-sslstrip-slides.pdf

[8] Song, D. (2012, January 1). Dsniff Frequently Asked Questions. Retrieved from http://www.monkey.org/~dugsong/dsniff/faq.html

[9] Ogle, J. and Wagner, E. (2012, March 8). Hotel Network Security: A Study of Computer Networks in U.S. Hotels. Retrieved from http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html



[1] Django documentation: https://docs.djangoproject.com/en/dev/topics/templates/

Contributing to the Project

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me… Or feels threatened by me…

The Mentor

Vision

Subterfuge is still a work in progress. The project has seen an exciting amount of community support, but we still have a long way to go. Our goal is to create an all-encompassing framework from which to easily launch attacks against the LAN. Subterfuge will continue to integrate with other pieces of the penetration tester’s toolkit to allow a user to efficiently conduct a full spectrum penetration test.

In the future we would like Subterfuge to contain a database of possible attack methods and vectors in order to demonstrate the risk and vulnerability respectively. Because of the modular nature of the framework expandability should continue to be simple.

What can you do?

If you’re interested in contributing to the Subterfuge Project we might be able to use your help. As the framework is still in Beta any reviews, comments, or critiques are helpful. We also appreciate any and all issues logged on our Google Code site; we try to get to those bugs as quickly as possible. If you would like to go a step further feel free to contact us with suggestions, or develop your own modules. If you submit them to us we’ll try to get them added to the package for you.

Other than that the simple support you all give is always helpful. Thanks. Now go hack!

Extending Subterfuge

Dichotomy of the Attack

The first thing to consider as you look to extend Subterfuge is the anatomy of any Man-in-the-Middle attack. There is the exploit (the part that yields a MITM position), and the vector (the part that uses a MITM position to accomplish nefarious ends). If you are considering extending Subterfuge the first thing to ask yourself is: which category does my attack fit into?

This split view of a MITM strike is what we refer to as the Dichotomy of the Attack. In virtually all past scenarios using a MITM exploit to accomplish a goal the attacker has had to construct both the exploit and the handle. Subterfuge splits those two things apart, and allows the attacker freedom through increased efficiency.

Module Builder

When we built Subterfuge we wanted to make something that anyone could use and customize. Those two ideas tend to bash heads in almost every application, but in Subterfuge that was a key goal from the outset. In order to yield this functionality we developed the Module Builder. The point of this piece of the Framework is to automatically generate the backend management features for an attack, while simultaneously configuring a frontend method to facilitate interaction. All that is to say that our goal with the module builder was to create something that would allow a user to feed Subterfuge an attack vector or plugin and expect Subterfuge to do the rest.

Most programs have three defining features: the backend (database), the core (logic center), and the frontend (GUI). When we develop an attack we tend to focus on that middle part, the guts of the whole operation. Nevertheless, when we want that attack to work well and simply; we shift focus to those other two pieces, tedious as they may be. That’s where the Subterfuge Module Builder comes in. It dynamically generates a platform for both of those pieces giving us a place to start and significantly expediting the whole process.

Firstly, the module builder will generate a fairly generic graphical user interface for any program that it has been given. This means that a developer has to write very little, if any, frontend code to assist a handler in using his attack method.

Subterfuge comes with a database API to allow for seamless integration with the existing system. If you are developing an attack that requires detailed network information in order to function dynamically, the chances are Subterfuge has already catalogued that information. Accessing the information that Subterfuge stores is simple. For specific guidelines on syntax see Appendix B.

If your attack requires a database to store or track information it is simple to add the keyspace for it into Subterfuge’s database. Subterfuge comes with a function to rebuild its database provided you specify the tables. The framework takes steps to abstract the SQL in order to make working with the database more straight forward. See Appendix B for more specifics.

Building Plugins

The first version of Subterfuge to come with its own module builder was 3.0. As of this writing (Version 4.3) the module builder can only create attack vectors. Both the Tunnel Block Module and the DOS Module were created with the Subterfuge Module Builder. Nevertheless, more advanced vectors like the HTTP Code Injection Module still require significant code configuration in order to fully integrate them into the framework. In future releases of Subterfuge this process will become increasingly streamlined, but at the moment if there is a need for significant logic outside of the tool itself a user must personally modify the modules/views.py file. More information on how to accomplish this can be found in Appendix A.

Building Attack Modules

This split view of a MITM strike is what we refer to as the Dichotomy of the Attack. In virtually all past scenarios using a MITM exploit to accomplish a goal the attacker has had to construct both the exploit and the vector. Subterfuge splits those two things apart, and allows the attacker freedom through increased efficiency.

Modify/Customizing GUIs

This split view of a MITM strike is what we refer to as the Dichotomy of the Attack. In virtually all past scenarios using a MITM exploit to accomplish a goal the attacker has had to construct both the exploit and the vector. Subterfuge splits those two things apart, and allows the attacker freedom through increased efficiency.

(((NOT DONE)))

.mod files/JavaScript to look out for/functions

Program Structure

Subterfuge leverages the Python Django Framework in order to render its html interface. Django has a template system that it further utilizes to yield a web page. Django is built on the DRY Principle that is to say that in Django you (Don’t Repeat Yourself). While this can streamline the building significant projects, it can be somewhat difficult to wrap one’s head around, at least initially.

In Subterfuge we designate files with differing extensions pertaining to their function. Multiple pages are strung together to create each webpage that is rendered. The file extensions and a brief description thereof follow:

Core Files:

.py:      python, .py files are where Subterfuge’s logical core resides. The majority of these files do not interact with the GUI directly.

.rc:      resource, .rc files are the mechanism Subterfuge uses to communicate with the Metasploit Framework to facilitate the serving of exploits.

Template Files:

.tm:     template, a .tm file is the basis from which the website is created; it calls the other files in the order required by the web browser.

.ext:    extends, a .ext file is used to extend a template, or .tm file. This is the file that is called by the Django server, and should contain the bulk of user specific data.

.inc:    include, a .inc file is used for files that will likely be rendered within multiple templates.

.mod:  module, .mod files pertain to the interface for any given module. Every module has one, and they are typically generated by the Module Builder.

Miscellaneous Files:

.conf:  configuration, a .conf file is used to store static programmatic information. These are being replaced by the database and python import files. The primary configuration file is deprecated as of Version 5.0.

.log:    log, a .log file is used to store temporary information. Current Subterfuge logs are unnecessary to the operation of the program.

.lst:     list, a .lst file stores a line separated list of information. Subterfuge currently uses .lst files to store password and username field information for credential harvesting.

 

The Subterfuge directory structure is designed for modularity and expandability. This makes it confusing at a glance. Below we define the layout of the program:

./                                 — Primary directory

definitions/              — Directory for credential harvesting .lst files

main/                         — Location of primary Subterfuge logic

            utilities/                    — Location of attack tools

            sslstrip/                    — Location of Moxie Marlinspike’s SSLStrip

            modules/                  — Directory for Subterfuge Modules

            templates/                — Web Directory

 

The web directory structure is much like that of a standard website; however, there are some key differences. The first is that because Subterfuge’s frontend is a Django Application all elements in the web directory must be referenced with /static/. Logically, /static/ is equivalent to template/. Within template/ the directory structure is as follows:

css/                            — Directory for CSS Files

images/                     — Directory for Images in the webpage

            includes/                  — Directory for .inc files

            js/                               — Directory for .js files

            mods/                        — Directory for .mod files

            /static/                      — Web directory, hosts all .ext and .tm files in

     addition to subdirectories.

           

The most important feature of Django is that it allows for concurrent frontend and backend development. This feature allows us to expand Subterfuge dynamically without having to devote focus on any given aspect prematurely. The heart of Subterfuge is located in the main/views.py file. Every page, configuration, function, and control is managed through this file. In rendering a page the views file will make the database queries and backend logic. Then it forwards that information to a template file. The template file is the basis for any page in Subterfuge. The standard template used in Subterfuge will import all style sheets and libraries, instantiate variables, and provide the head navigation scheme.

A sample template file looks like this:                       (basic.tm)

<!–    HEADER      –>

{% include “includes/header.inc” %}

<!–    END_HEADER  –>

 

<body>

 

<!–        NAVBAR          –>

{% include “includes/nav.inc” %}

<!–        END_NAVBAR      –>

<!–        MAIN_CONTENT    –>

<div id=”main”>

{% block content %}{% endblock %}

</div>

 

<!–        MAIN_CONTENT    –>

</body>

</html>

 

{% block content %}{% endblock %} is how the Django template language references the information given in the extends file for the variable “content”. Subterfuge includes the primary content for any given page in this variable. The implication of this is that if you are attempting to build a specific page for an app and you find that Subterfuge’s built in toolkit is not robust enough you can modify the content provided by views.py, in order to, yield any result you desire. Further {% include “includes/nav.inc” %} is used to include an external file into the template. This allows us to build on the DRY principle.

In Django an extends file will use a constituent template page to render the full site. It is in the extends file that the information contained in the content variable can be found. An extends file tends to have the data specific to a page.

A sample Django extends file looks like this: (home.ext)

{% extends “basic.tm” %}

 

{% block content %}

 

<div id=”dialog” class=”windows”>

<font color = “white”>Initiating: </font>

<img src = “/static/images/loader.gif>

</div>

<div id=”mask”></div>

 

<div id = “creds”>

 

</div>

 

{% endblock %}

 

 

The first line tells the program to look for “basic.tm”. The next piece {% block content %} is used to assign the following code a variable name that the template then uses to reference it in this case that name is “content”.

When Django puts the full site together the page looks something like this:

(home.ext)

{% extends “profile.tm” %}

(profile.tm)

<!–    HEADER      –>

{% include “includes/header.inc” %}

 (header.inc)

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

<html xmlns=”http://www.w3.org/1999/xhtml”>

<head>

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />

<title>Whoodini</title>

<meta http-equiv=”Content-Language” content=”en” />

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />

 

Etc…

(profile.tm)

<!–    END_HEADER  –>

 

<body>

 

<!–        NAVBAR          –>

{% include “includes/nav.inc” %}

 

(nav.inc)

<div id = “navbar”>

Etc…

</div>

(profile.tm)

<!–        END_NAVBAR      –>

 

<!–        MAIN_CONTENT    –>

<div id=”main”>

{% block content %}{% endblock %}

</div>

 

 (home.ext)

{% block content %}

 

<div id=”dialog” class=”windows”>

<font color = “white”>Initiating: </font>

<img src = “/static/images/loader.gif>

</div>

<div id=”mask”></div>

 

<div id = “creds”>

 

</div>

 

{% endblock %}

 (profile.tm)

<!–      END_MAIN_CONTENT    –>

</body>

</html>

 

Leveraging the Django template format can be difficult to wrap ones head around immediately; however, for extended design it can be a significant enhancement to efficiency. Now let’s look at logic in the template language by opening up the credential harvester module:         (credtable.inc)

{% if credential %}

{% for cred in credential %}

<tr class = “{% cycle ‘credrowa’ credrowb’ %}”>

<td width = “271”>{{ cred.source }}</td>

<td width = “374”>{{ cred.username }}</td>

<td width = “361”>{{ cred.password }}</td>

<td width = “120”>{{ cred.date }}</td>

</tr>

{% endfor %}

{% endif %}

 

This is an if statement and a for loop in the Django. Because Django is python it borrows similar syntax for its template language. What is important to realize is that credential is a tuple variable that was given to the template by the main/views.py page. Essentially, that means that credential is the data and the logic above decides how to render it. Because database queries in Django return named lists, or dictionaries, it is possible to specify the required object by name. cred.source contains the information stored in the “source” field of the database query that was made in the views page. It then runs through the loop until all objects have been printed, and displays them in html for the user to see.

A views.py page looks something like this:           (main/views.py)

def index(request):

#Get Creds from Database

creds = credentials.objects.all()

 

#Relay Template Variables

return render_to_response(“includes/credtable.inc”, {

“credential”     :   creds

})

 

This retrieves the information to be put into the credential variable and sends it on to the template language where it can be displayed graphically.

 

The Database

Subterfuge uses a SQLite database due to the system’s portability. This database is further accessed with Django’s library. This makes accessing the database fairly simple if syntactically different then you may be familiar with. For queries not covered here you may wish to reference Django’s documentation[1].

Select Statement:

creds = credentials.objects.all()

Insert Statement:

logcred = credentials(username = username, password = password)                  logcred.save()

Update Statement:

setup.objects.update(value = newvalue)

 

That’s all it takes to do basic database operations in Subterfuge; however, in order to include database queries in a file outside of views.py you may need to import the following:

#Ignore Deprication Warnings  import warnings  warnings.filterwarnings(“ignore”, category=DeprecationWarning) from django.conf import settings

#Configure Database

settings.configure(DATABASE_ENGINE=”sqlite3″,

DATABASE_HOST=””,

DATABASE_NAME= os.path.dirname(__file__) + “/db”,

DATABASE_USER=””,

DATABASE_PASSWORD=””)

from django.db import models

#Import Tables

from main.models import *

 

 

 

 

 



[1] Django documentation: https://docs.djangoproject.com/en/dev/topics/templates/

Third-Party Tool Integration

Nothing exists in a vacuum. On that note we saw no real reason to pretend that Subterfuge did while we developed it. If a past solution to any given problem existed we were quick to adopt it. Since Subterfuge is written in Python, we gave preference to other Python programs, but that did not stop us from adapting existing tools to our purposes.

SSLStrip

Moxie Marlinspike released SSLStrip at Blackhat in 2009. It was built to demonstrate SSL’s inability to accurately protect individuals browsing sessions by perverting the protocol in its entirety.

SSLStrip is a useful tool due to its ability to hijack HTTP (Hypertext Transfer Protocol, or web) traffic on a network, watch for HTTPS (HTTP-Secure) links and activity, and then map those links into look-alike HTTP links[1].  SSLStrip also provides a feature to supply a favicon, which looks like a lock icon, giving the impression that the web connection is secure.  SSLStrip is used transparently (i.e., without the user’s knowledge) to convert an encrypted SSL session into a standard, plaintext web session that can then be easily monitored.  Stealing credentials and sessions becomes trivial at this point.  SSLStrip is a difficult piece of software for the average security researcher to set up quickly, let alone an average web user.  The configuration process requires the user to perform intricate changes to files on the host operating system in addition to setting up network routing rules with a separate program. Furthermore, it requires that the attacker already have a MITM position established.

 

It is at this confluence that the synergy Subterfuge provides can be seen, and felt. By automating SSLStrip, garnering a MITM position, and passing the results directly into its modules, Subterfuge provides a powerful framework for the Penetration Tester to leverage.

 

Moxie’s tool has the added benefit of being written in Python, which made integrating it into Subterfuge a figurative walk in the park, but what is truly distinct about Subterfuge’s integration with SSLStrip is its function. Because SSLStrip can modify traffic directed to it we were able to make modifications turning the program into an intercepting proxy. The strength of a Man-in-the-Middle attack is control. Upon gaining control of the network there is a seemingly endless array of possibilities.

The modified SSLStrip forms the backbone of Subterfuge’s tampering capabilities. Further integration with our database increases usability and speed, in addition to potential attack options.

Nmap

The quintessential port scanning utility is Nmap. Subterfuge can leverage Nmap to perform a baseline port scan with OS Detection. This can be seen in action by pressing the scan button in the Network View.

Subterfuge does not currently (as of version 4.2) support the import/export of Nmap scan results; however this is a feature we plan on adding to framework in the future.

Metasploit

Subterfuge now includes exploitation option through its integration with the Metasploit Framework. If you have Metasploit installed on your system alongside Subterfuge (and its binaries are in your $PATH) you may be able to transparently embed exploits into the sessions of victims.

The HTTP Code Injection Module demonstrates this capability. The code injection module is able to modify the website a victim views in real time. Because of Metasploit integration it can then inject browser_autopwn into a victims session, which can result in unauthorized remote access to their system.

Currently, Subterfuge does not support using more specific exploits within the Metasploit Framework; however this is a capability we intend to add in the future.

Armitage

We are currently working on Subterfuge integration with Raphael Mudge’s Armitage. Potential integration options could include remote deployment of Subterfuge as an attack payload.

Evilgrade

Evilgrade is a tool that allows a user to spoof an update server on the network. When a victim starts up a program such as iTunes it automatically looks to see if updates exist. Evilgrade steps into this process and sends the victim a malicious payload in place of the update. Evilgrade required the attacker to attain a MITM position before it could begin its attack, so we thought, why not Subterfuge? We intend to have an Evilgrade module included as part of the Framework by version 5.1.



[1] Marlinspike, M. (2011, August 30). Blackhat. Retrieved from http://blackhat.com/presentations/bh-europe-09/Marlinspike/blackhat-europe-2009-marlinspike-sslstrip-slides.pdf

Troubleshooting

The most pervasive problem with hacking tools is that they never quite work right for everyone. Between the plethora of different builds we operate, and the differing conditions of each attack breaking things is almost inevitable. Here’s what to do to fix it. (The FAQs are followed by work arounds for commonly encountered problems)

Frequently Asked Questions

  1. Is Subterfuge free for download?
  2. What Operating Systems is Subterfuge built for?
  3. What dependencies does Subterfuge require?
  4. Help! I’m having browser issues
  5. How can I report a new bug?
  6. I see lots of errors in the terminal window what am I doing wrong?
  7. How do I run Subterfuge as an externally navigable server?
  8. How do I uninstall Subterfuge?
  9. What kind of support is there
  10. How can I contact you?

 

Is Subterfuge free for download?

Screen Shot 2013-03-14 at 4.39.59 PM

What Operating Systems is Subterfuge built for?

Screen Shot 2013-03-14 at 4.40.13 PM

What dependencies does Subterfuge require?

Screen Shot 2013-03-14 at 4.40.23 PM

Help! I’m having browser issues 

Screen Shot 2013-03-14 at 4.40.34 PM

How can I report a new bug?

Screen Shot 2013-03-14 at 4.40.42 PM

 

I see lots of errors in the terminal window what am I doing wrong? 

Screen Shot 2013-03-14 at 4.40.54 PM

 

How do I run Subterfuge as an externally navigable server? 

Screen Shot 2013-03-14 at 4.41.05 PM

How do I uninstall Subterfuge?Screen Shot 2013-03-14 at 4.41.13 PM


 What kind of support is there?

Screen Shot 2013-03-14 at 4.41.24 PM

How can I contact you?

Screen Shot 2013-03-14 at 4.41.37 PM

Installation Procedures

Subterfuge is only supported on Kali Linux. Do NOT attempt to install on Windows or Mac OSX. Subterfuge is capable of running under other flavors of Linux, but if you encounter issues we will only offer support if you are using Kali Linux.

Installation Procedures – Kali Linux

To get started download the latest version of Subterfuge from our website: http://kinozoa.com/downloads

Procedures:

Open up a terminal window

Navigate to the directory where you downloaded Subterfuge

Install it:   dpkg -i subterfuge_1.0-1_all.deb

If dependency issue arrises:   apt-get update && apt-get -f install

Apt will automatically install all dependencies followed by Subterfuge itself.

Type: subterfuge

Open up a browser and navigate to: 127.0.0.1

Known Defects

This section exists to help you troubleshoot issues with the system that we are aware of; hopefully the key to solving your problem is here. If you cannot find a solution here try the Google Code issues page and contact us.

Error:

sh: route: command not found

Description:

Subterfuge uses the route command in order manipulate the network routing tables on the attacker’s machine. This command is part of net-tools, which may not be in the default install of all Linux distributions. For more information see: http://www.archlinux.org/news/deprecation-of-net-tools/

Solution:

Install net-tools:

On Debian Systems:
apt-get install net-tools
On Red Hat Systems:
yum install net-tools

Alternately, find net-tools online and install it.

 

Error:

Validating models...
0 errors found
Django version 1.3.1, using settings 'subterfuge.settings'
Development server is running at http://127.0.0.1:80/
Quit the server with CONTROL-C.

Error: That port is already in use.

Description:

Something else is using the port you are trying to run Subterfuge on. Do you have Apache running? Alternately, another instance of Subterfuge may not have close properly

Solution:

Try:     /etc/init.d/apache2 stop

Try:     killall python

Then: subterfuge

Alternately, you may have to grep for the process and kill it (distro dependent)

Modules

So your attack was successful. You’ve pwned the network, only now… What to do with it? In Subterfuge it is the modules that give us the ability to leverage our position quickly and easily. Moreover, if your needs are particularly specific, you can create a module for Subterfuge without the need to launch your own attack from scratch. Subterfuge comes packaged with several default modules that you can use to great effect.

Credential Harvester

The Credential Harvester is the original Subterfuge Module. When we built the program the whole premise was to develop a system that demonstrated the effectiveness of this genre of attack beyond a shadow of doubt. The Credential Harvester does that.

Subterfuge comes with a modified version of Moxie Marlinspike’s SSLStrip. It is used as an intercepting proxy to allow us to control network traffic in real time. The Credential Harvester uses SSLStrip to intercept post data, and it parses through the information in order to pull out authentication credentials in plain text. SSLStrip uses an HTTP downgrade attack, causing the post data to be transmitted in plain text. This means that even sites that encrypt their login fields, which protects against tools like Firesheep, are susceptible to harvesting.

Screen Shot 2013-03-14 at 4.25.43 PM

 Operating Procedures:

Navigate to the Credential Harvester View (seen above)

Click the Start button
If automatic configuration is enabled Subterfuge will ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

Session Hijacking

Session Hijacking is not a feature currently available in Subterfuge. It will; however, find its way into the framework by the release of Beta version 5.0.

The session hijacking plugin will allow a user to masquerade as a victim within the session that was hijacked. Due to the stateless nature of HTTP, and the need for web servers to remember certain information about each user accessing them, we can often authenticate into a web application without requiring a username or password.

A typical user experiences this when he navigates to a website, and finds that he is already logged in. Because he never transmitted authentication information to create a session with the webserver there is nothing for the credential harvester to intercept, which means that we won’t get anything.

Since that’s just uncool, we are expediently developing a Session Hijacking Module for the framework. In addition, we are building a feature into the Credential Harvester to force terminate a victim’s session, forcing them to authenticate into the web application again.

HTTP Code Injection

Subterfuge’s modification of SSLStrip allows the data intercepted to be tampered with before it reaches the victim’s browser. In essence this allows us to inject arbitrary code into a victim’s browser session.

Untitled9

This code can be anything from a JavaScript alert message to an exploit like ms10_aurora.

 

This module comes with two standard methods of operation. The first is called custom injection. It will append the text typed into a provided box to any website that a victim views. The second method uses Subterfuge’s integration of the Metasploit Framework in order to leverage an exploit against a victim’s browser. Metasploit injections can be rendered in three different manners, in a hidden iFrame, in a popup window, and as a window redirection.

 Operating Procedures:

Method 1: Custom Injection

Start Subterfuge

Pull up the HTTP Code Injection Menu by clicking on the module’s icon (From the Plugin page or Network View)

Select Custom Inject

Enter the data you would like injected

Click Apply

Method 2: Metasploit

Start Subterfuge

Pull up the HTTP Code Injection Menu by clicking on the module’s icon (From the Plugin page or Network View)

Select the injection vector from the drop down menu

Select an exploit from the drop down menu

Click Apply

 

If automatic configuration is enabled Subterfuge will ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

Denial of Service

Being the Man-in-the-Middle means that in order for the network to function you must route traffic properly. So what happens if we just… don’t? In that situation all of the victim’s on the network will no longer be able to access the Internet because their router, us, is dropping all of their packets. This produces a very powerful layer three DOS attack.

 Operating Procedures:

Start Subterfuge

Pull up the DOS Module by clicking on the module’s icon (From the Plugin page or Network View)

Click Apply
If automatic configuration is enabled Subterfuge with ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

 

Tunnel Block

We realized that one of the best methods to retain a certain level of security on a network is to use some form of encrypted tunneling, so we made it easy to subvert this. The tunnel block method prevents common protocols like SSH and VPNs like L2TP and OpenVPN from accessing the Internet, forcing a client to use unsecure methods of networking.

 Operating Procedures:

Start Subterfuge

Pull up the Tunnel Block Module by clicking on the module’s icon (From the Plugin page or Network View)

Click Apply
If automatic configuration is enabled Subterfuge with ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

Network View

Rather than guessing what the network looks like, open up the Network View and see it. The Network View offers a whole new way to experience a Man-in-the-Middle position. Each client that appears while using this module represents a victim on the network. Information is synchronized rapidly to give the attack an appropriately “live” feel.

While I was building this, I thought if someone were to take a screenshot of Subterfuge what would I want it to look like? There is nothing more unique to the framework then this module. It gives off a usability vibe akin to Armitage, which is exactly what we were going for in this tool. Moreover, it really is as easy to use as it appears. The Network View gives an attacker easy access to other modules as well as a simple interface from which to interact with third party tools like Metasploit and Nmap. Being as Subterfuge is fully integrated with Nmap; we can leverage the tool to update the Network View in order to give ourselves a more accurate interpretation of the suspect network with speed and efficiency.

netview copy

 Operating Procedures:

Pull up the Network View Module by clicking on the module’s icon (From the Plugin page)

Click Apply

Start Subterfuge

Wait for a victim to appear and interact with their sessions
If automatic configuration is enabled Subterfuge with ask if you would like it to automate the attack for you. Otherwise the framework will use the settings established in the settings page

Evilgrade

Evilgrade is a tool that allows a user to spoof an update server on the network. When a victim starts up a program such as iTunes it automatically looks to see if updates exist. Evilgrade steps into this process and sends the victim a malicious payload in place of the update. Evilgrade required the attacker to attain a MITM position before it could begin its attack, so we thought, why not Subterfuge? We intend to have an Evilgrade module included as part of the Framework by version 5.0.

 

Future Modules

Wireless AP Attack Suite

The Wireless AP Suite will have a number of extremely useful features, which will increase the functionality of Subterfuge. A user will be able to setup a fake access point through which a victim will connect, successfully creating a MITM situation. An advanced option would even listen for what computers in the nearby area are probing for and setup an access point spoofing networks the victims have previously connected to. This will allow the victim computers to connect to and route their traffic through Subterfuge without any user input.

Subterfuge — The Attack

Note that on BackTrack scripts MUST be enabled in order for Subterfuge to run.

“He who is prudent and lies in wait for an enemy, who is not, will be victorious.” –-Sun Tzu

Right so on to the part everyone actually cares about… Running Subterfuge! This part of the documentation focuses on getting the framework up, running, and working for you. Let’s get started. Installation Procedures

Gaining a MITM Position

Now that we’ve got the framework install let’s attack. The first step in any Subterfuge attack is gaining a Man-in-the-Middle position. Currently, Subterfuge only ships with one method of establishing itself as MITM, ARP Cache Poisoning. Nevertheless, as a framework, its modular design allows it to support multiple methods.

Running Subterfuge:
To start Subterfuge, click the Start button in the top right corner. A popup window should present asking you if you would like Subterfuge to automatically configure the attack select OK. Now the attack should be running as seen above. Note that on BackTrack scripts MUST be enabled in order for Subterfuge to run.

ARP Cache Poisoning

What did we just do? If you already know or don’t really care move on to the next section, for those of you do care let’s take a moment to talk about the anatomy of the attack. I won’t get into the behind the scenes actions that Subterfuge takes in order to make this process so easy if you are interested in that information head over to Extending Subterfuge and the Appendices.

Let’s back up a moment and talk about the Address Resolution Protocol (ARP). ARP is about as simple as a protocol gets. Its purpose is to associate MAC (Hardware) addresses with IP addresses. This allows devices on the Local Area Network (LAN) to find each other. Excluding Reverse ARP, there are really only two kinds of things that an ARP can say:

  1. ARP Request             –  “Who has X IP Address”
  2. ARP Reply                 –  “X IP is at X MAC Address”

What happens if instead of giving the standard ARP Reply we say, “X IP is at Y MAC Address”? Everyone who hears the packet adheres to it. This really uncovers the fundamental problem with the protocol. There isn’t a shred of authentication. Below is a Wireshark capture of an awry ARP packet.

Untitled2

Because this packet was sent to the broadcast all of the machines on the LAN will see the packet and adjust their ARP Tables to match. This means that all traffic bound for 192.168.1.1 (the router’s IP address) will go instead to the box bearing the attacker’s MAC address. We’ve achieved Man-in-the-Middle.

Untitled3

A victim running Windows 7 displays their ARP Table

Dynamic Poison Retention & ARPBLock

One problem with a traditional ARP Cache Poison attack is that the router and victims will occasionally send out legitimate ARP requests and replies. This means that the attacker will experience a period of MITM loss immediately after this traffic. In order to minimize this, a typical attack will simply spam ARP across the network. Subterfuge uses ARPtables to attempt to block all ARP that it does not personally distribute. Furthermore, Subterfuge uses what we’ve taken to calling Dynamic Poison Retention in order to preempt legitimate ARP. This allows us to run a much more stable attack, and even increase stealth by relying on something other than a ticker to retain a poison.

Dynamic Poison Retention in action

Dynamic Poison Retention in action

Using Subterfuge Modules

So now you’ve got MITM, but what on God’s green earth do you do with it? Let’s cursorily check out Subterfuge’s Modules.

The Subterfuge Module View

The Subterfuge Module View

Subterfuge ships with many modules. After acquiring a man in the middle position we have a strongpoint from which to pillage the network. Subterfuge makes leveraging this position as simple as a few clicks. Check out the modules section for more on this.

Settings and Configuration Options

One of the most unique aspects of Subterfuge in the realm of network attack tools is the ease with you can customize virtually anything about your attack. The settings page makes configuring and optimizing an attack simple.

Configuring Subterfuge is Simple

Configuring Subterfuge is Simple

Attacking from the Network View

Through the Network View Subterfuge opens up a whole new way to visualize, and interact with a MITM position. Every box that shows up in this view represents an actively poisoned victim. Subterfuge synchronizes individual portions of the page with the server to make the attack look and feel real-time. The Network View also makes it easy to control the spectrum of your attack, and interact with modules directly, all from one place.

Subterfuge’s Network View Demonstrates an all New Way to interact with a MITM Position

Subterfuge’s Network View Demonstrates an all New Way to interact with a MITM Position

That’s all there is to starting up a basic MITM attack with Subterfuge. The next chapter focuses more on how to leverage your attack position with the frameworks modules.