Remember when MITMing people to pentest webapps and log-ins you had to fire Ettercap,Arpspoof, SSLstrip, then look for credentials in the captured packets?
No more thanks to (or fault of?) “Subterfuge”.
Surprisingly, there’s nothing about Subterfuge here on Null Byte (is it?), so I decided to share this awesome tool presented at DEFCON 20.
Subterfuge is an automated suite for MITM attacks that includes a lot of useful features and tools (like SSLstrip) that will make your pentest easier and more efficient. Not only it includes SSLstrip (completely automated), but the creators have added some features to make it more powerful and reliable.
Here’s the DEFCON speech on YouTube:
Step 1: Download the Packages
Go to the download link above and choose your download.
For efficiency purposes, I’m going to download the SubterfugePublicBeta5.0.tar.gz package.
Place it in the Desktop and that’s it for this step.
Step 2: Extract the Packages
There are plenty of ways to extract a .tar.gz in Linux:
Open the Terminal and type:
tar -zxvf /root/Desktop/SubterfugePublicBeta5.0.tar.gz -C /root/Desktop
It will extract the contents of the compressed file in the Desktop, in a folder called “subterfuge”.
Step 3: Setup Subterfuge
Type in the Terminal:
to navigate to the folder,
to start the installer.
Something like this will be prompted:
Check “Full Install with Dependencies” and click the Install button.
The installer is super verbose, wait until this will prompt:
Click finish, now you can close the Terminal.
Step 4: Start Subterfuge (And Credential Harvester Modules)
From now on you’ll only have to type “subterfuge” in the Terminal to start our new friend, then go to Iceweasel and type in the URL space “127.0.0.1”.
There you go:
Now you can press the button “start” and the Credential Harvester Module will automatically start, capturing all the passwords that people type in your LAN, including SSLstrippded ones.
Before we continue with some other modules, I want to tell you why SSLstrip isn’t reliable anymore (almost).
HTTPS SSLstrip vulnerability has been patched with HSTS Headers, so that first time someone connects to a HTTPS page that he never visited, it is stored as HTTPS, and when you visit that page again the HTTPS request will be inevitable, and SSLstrip won’t be effective (it would only if it’s running the first time that the victim visits the page, but some browsers implemented a list of default HSTS headers for popular sites, so yeah).
HSTS is supported by most of the browsers out there (latest versions) except IE (surprised?), which is said to implement it in version 11.
Other Interesting Subterfuge Features and Modules
First, you may say: “what if I want to MITM only one host?”
Here you can customize the settings, that otherwise Subterfuge will tell you to do it for you (this is also automated, how nice!).
Just enter the single client in “Arp single clients”.
A little description on the other modules that Subterfuge supports (some of those are NOT supported in the public beta, you’ll have to download the official .deb file, which is even easier to install):
1)Network View:”allows you to quickly and easily launch advanced attack vectors”.
2)Session Hijacking:steals the cookies of the compromised session to authenticate into a web service.
3)HTTP code injection:”allows the user to inject payloads directly into a compromised session”.
4)Evilgrade:evilgrade is a tool built for update hijacking, you can find documentation online.
And that’s it for today, I hope this article will be useful and sorry if my english was bad, but I’m not mother tongue.
If something is wrong or incorrect, please correct it in the comments, I’m terribly sorry.