Category Archives: Subterfuge

Exploiting Superfish with Subterfuge

superfish

Let’s talk about the Internet. What do you use it for? banking, social networking, private email, registering your car, maybe even your taxes? When you’re using the web to accomplish these somewhat standard tasks you are almost invariably predicating the security of your interactions on HTTPS. Here’s funny thing about HTTPS though, it requires TRUST.

Typically, that trust is vested in a verified third-party like Comodo Inc. Now while this third party may or may not be trustworthy, at least you can be confident that all of your eggs are NOT in the same basket right? RIGHT!?

Unfortunately, if you are the recent owner of a Lenovo computer not only are all of your eggs in the frying pan, but anyone can reach over and dump them into the fire at will! How did this happen?

Using the Superfish Root CA

The integrity of HTTPS communications is seated in the certification authority trust model. In order to inject “targeted ads” into your browsing experience Lenovo had to break the foundation of that security model. Superfish, their solution to this quandary, functions by adding a root certificate authority to your computer. It then spies on your encrypted Internet traffic… not cool!

Screen Shot 2015-03-01 at 6.16.14 PM

What’s worse as an attacker you can retrieve Superfish’s certificate! That means that I can spy TOO! Robert Graham did an outstanding writeup on the steps he took to retrieve the certificate: http://blog.erratasec.com/2015/02/exploiting-superfish-certificate.html

I further removed the certificate passphrase and added it into Subterfuge in order to demonstrate just how trivial it is to exploit this vulnerability. Click the start button… wait for bank creds… really Lenovo? This kind of perversion of their customer’s trust isn’t simply bad business, it’s unethical.

Subterfuge 1.0.1

In order to facilitate attacks on Superfish we just released an exceptionally raw update to Subterfuge. In this update the toolkit moves away from SSLStrip-based proxying of web traffic to MITMProxy-based handling. So… what exactly does that mean?

1. Subterfuge can now MITM SSL sessions using arbitrary certificates

2. SSLStriping can be selectively enabled or disabled as desired

Installation

This package is an update to existing Subterfuge installations as opposed to a stand alone version.

To download the Subterfuge version 1.0 installer click here. (This version of Subterfuge does NOT include Superfish attack support).

To download the version 1.0.1 update package click here.

Version 1.0.1 now requires MITMProxy. To install MITMProxy on Kali Linux (or other debian based linux variants) run:

sudo -s
wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py
apt-get install build-essential python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev
pip install mitmproxy

Upgrading Subterfuge

This requires that Subterfuge version 1.0 be installed on the system already for instructions on accomplishing this see: http://kinozoa.com/blog/installing-subterfuge-on-kali-linux/

Uncompress the latest version of Subterfuge into your existing installation directory as shown below:

tar -xvf subterfuge_1.0.1.tar.gz /usr/share/

Configuring Subterfuge to SSL Intercept

Settings Page

  1. Set Proxy Mode: MITMProxy
  2. Apply

Screen Shot 2015-03-01 at 5.16.28 PM

Executing the Attack

At this point attacking with Subterfuge commences as usual. Please note that this is a bleeding edge release of the framework and has not been tested to ANY degree. That means it is likely to be buggy, or not produce expected results consistently. Please use the comments below to describe any issues you are having, and we’ll do our best to get them fixed up and packaged into a more official release… (2.0 fingers crossed).

References

MITMProxy: https://mitmproxy.org/doc/index.html

Slate: http://www.slate.com/articles/technology/bitwise/2015/02/lenovo_superfish_scandal_why_it_s_one_of_the_worst_consumer_computing_screw.html

ARP Cache Poisoning

This page is currently under construction. The first draft is available, but more content must still be added be for the documentation is conclusive.  I apologize for the inconvenience.

Happy Hacking!

Click here to jump to ARP Poisoning with Subterfuge


ARP Cache Poisoning or ARP Spoofing is a network based attack that has been around for a long time; however, very little has been done address the vulnerability. The issue lies with the lack of authentication or even verification in the Address Resolution Protocol.  Though this attack is old it is still very effective, and if you think that it will be going away with IPv4 guess again. While the protocol has been removed in the IPv6 specification, the vulnerability still remains in a method call Neighbor Discovery Protocol, which is basically a very fancy rebranded ARP that solves problems in ARP’s network usage, but does nothing to fix the security issues.

Anatomy of the Attack

To understand ARP we first need to dive down into the network layers associated with it. Traffic traveling around your home network gets from one machine to another via layer 2 of the OSI model. More specifically, in a typical Local Area Network packets are switched not routed (as frames). This means that all that fancy TCP/IP overhead associated with the WAN is predominately a mute point. This makes our LANs much faster, but it also opens up these networks to additional strata of vulnerabilities. The Internet as we all know, uses IP addresses to get packets from one machine to another, but your LAN uses MAC address. In order to translate between the two standards, we have ARP.

So let us assume for a moment that your computer has an IP address it needs to send packets to: 192.168.1.1 and it is directly connected to the subnet 192.168.1.0/24 (this is the case with most home networks). Since it is connected to the same network as the target machine it must send the information as Ethernet frames, which means it needs the target’s MAC address not its IP. In order to get the MAC, it broadcasts to everyone on the network: ff:ff:ff:ff:ff (broadcast MAC address), and asks “Who has 192.168.1.1”. The response is supposed to be the MAC address of our destination.

Wireshark-ARP-Poison

In an ARP Spoofing attack all we have to do is respond to these requests with a different answer, namely, our MAC address. Now all traffic that you thought was going to 192.168.1.1 is actually going to the attacker instead. Furthermore, your computer remembers the last ARP response it gets, so if I spam these responses nonstop your computer will all ways use me as its target allowing me to sniff all the data you send to that host. If I poison your router, I can get all of your Internet traffic!


Subterfuge’s ARP Cache Poison

If you don’t care how Subterfuge does what it does, and you just want to know how to use it click here!

When we created Subterfuge (a framework to launch man-in-the-middle attacks) the first attack we gave it involved ARP Spoofing. We really wanted to stomp on the protocol, hard. Rather then just get the attack to work and release the product we spent a lot of time testing it against differing configurations and network devices. By its nature an ARP Cache Poison is a very unstable attack, and implementing it improperly can easily cause a denial of service against the target network. Naturally, this is not at all desired. Our research was focused on several key areas: Maintaining the Poison, Maximizing Stealth, and Network Stability.

Maintaining your Poison Versus Stealth & Stability

First we need to discuss the problem: losing a poison. How does it happen? On a typical network the router will occasionally send out a broadcast ARP packet letting anyone on the network know: “I’m still out there, and in case you were wondering here is my MAC Address”. That’s bad! Every time this happens we lose our poison against the network. When it comes to maintaining an ARP Poison most effectively there is one key: spam.  Because a client PC’s ARP table is always updated to reflect the most recent information it receives from the network, the best way to retain MITM is to send out as many poison packets as possible, but there’s a problem here. The primary reason ARP no longer exists in IPv6 is not security it’s overhead. Larger networks already tend to have so much ARP traffic that they experience a performance hit. Spamming packets as fast as your NIC can handle is definitely not the optimum solution from a network stability standpoint. Our research indicated that most routers tend to re-ARP a network anywhere between every 8-16 seconds.  To combat this Subterfuge by default poisons the network on an 8 second interval, but finer control is available through the settings page.

Unfortunately, this means that if you lose the poison you could be out of luck for up to 8 seconds. To combat this Subterfuge employs Dynamic ARP Retention, the concept here is that by listening on the wire for ARP messages from router you can hear the natural responses and spoof poison packets to match them. In practice this can cause an ARP storm on some networks and result in a denial of service condition. By default this setting is disabled; however, when enabled it can significantly bolster the stability of your attack. Lastly, you can adjust the rate of poison packets attacking the network manually from the settings page.

Poisoning with Subterfuge

Video coming soon!

Subterfuge gets a Makeover you Decide

How would you build it? There have been 5 major versions of Subterfuge, but so far we have stuck with the same landing page. While the credential harvester is what Subterfuge is known for, the project has much more to offer. In order to more closely match the evolving nature of the framework, we are planning to bring more options to the original interface we’ve grown to love. What would you like to see? Reply to this post with any of your suggestions or requests, and we just might incorporate them. Here’s an example of some of our thoughts:



 

Interface

Combine Subterfuge with Armitage Adversaries Beware!



Subterfuge and Armitage make a Terrific Duo!

Okay… So you can harvest creds like a boss… What else can you do with Subterfuge? In this video we combine Subterfuge and Rafael Mudge’s Armitage to unleash the full power of Metasploit on our foes!

This video is a good example of how we like to use Subterfuge, but whether it’s Armitage, msfconsole, or a homegrown exploit Subterfuge can send victims your way. In today’s much more security conscious age you are far more likely to turn a client side exploit into a successful pentest then the remote code execution vulnerabilities that pervaded the past decade.

On Armitage

Armitage gets a lot of flack from some MSF power users, but personally I find its integration with Metasploit’s RPC to be the most convient way to interact with the msfconsole. Mudge has put a ton of work into Armitage over the past couple of years. The result is a sleek, capable tool that just gets the job done. Thanks Rafi!

 

Armitage

 

Checkout his site: Strategic Cyber

Attack Breakdown

Difficulty – Intermediate

Attack Methods – ARP Cache Poisoning, HTTPS Downgrade, Java Signed Applet (Browser Exploit)

Subterfuge Documentation


Subterfuge5Wallpaper

Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network and even exploiting machines by injecting malicious code directly into their browsing sessions.

How to use this Document

Reading through this entire document may be tedious, and will certainly deluge you in information you may not have any desire in knowing. To aid in your perusal below is a short summary of each section, so that you know where to go in order to get the information that you came for:

Introduction

This section is for those of you who are interested in where the Subterfuge Project came from, why it exists, and what we hope to accomplish. The introduction focuses on the risks of MITM attacks, the programmatic structure of Subterfuge, and the community buoying it up.

                     The Attack

                     The next portion of the documentation gets right into running Subterfuge.  It starts with the most basic usage, and moves on to basic module usage as well as settings and configuration options. 

                     Modules

                     Extending the attack through Plugins and Modules. This section takes an in depth look at how Subterfuge can really work for you. 

                     Troubleshooting

                     The most pervasive problem with hacking tools is that they never quite work right for everyone. Between the plethora of different builds we operate, and the differing conditions of each attack breaking things is almost inevitable. Here’s what to do to fix it.

                     Third-Party Tool Integration

                     Subterfuge doesn’t exist in a vacuum, and we didn’t design it that way. Here we discuss the external tools that the project leverages, and how they interact with the framework to make the penetration testing experience more fluid and dynamic.

                     Extending Subterfuge

                     Making Subterfuge work for you is easy. This portion of the documentation talks about just how to get deeper functionality out of the system. 

                     Contributing to the Project

                     Community Support for the project has been great so far. If you would like to contribute in some manner then this section might merit your perusal. 

                     Appendices

                     Other stuff. See for yourself.

Installing Subterfuge on Kali Linux



Walkthrough

This is an install of Subterfuge Version 1.0. It takes place on a Virtual Box VM running Kali Linux 1.0.2. Packages were updated by running:

apt-get update
apt-get dist-upgrade

Step 1: Download the Code

Downloads

Step 2: Install Subterfuge

dpkg -i subterfuge_1.0-1_all.deb

Step 3: If the installer errors due to dependency issues install them along with Subterfuge

apt-get update && apt-get -f install

Because Subterfuge has deprecated its old installer and switched over to the Debian packaging system there should no longer be any chance that installing Subterfuge will break your existing packages!

Hopefully this install worked out for you all. Post in the comments if your issues still seem to persist, and we’ll try to help you work it out.