Monday, May 27, 2013

Hacking with Subterfuge to capture passwords

Subterfuge is a simple and easy to use tool in Linux. It performs man-in-the-middle attacks and sniffs passwords off the network. When I say password, it can mean Network proxy password, Firewall user authentication passwords, plain-text password of websites, even https websites like Facebook and Gmail. Subterfuge has sslstrip (a ssl hacking tool) inbuilt. That means it will also capture the passwords of websites using HTTPS.

Now, lets say you want to 'hack'the Facebook passwords of some people. You can use subterfuge to capture their passwords. This can also be necessary in a real life pen-test scenario. User credentials make it a lot easier to break in to organisations.

You need to have a Linux computer for this. It doesn't work on Windows, as of now. Ubuntu or Backtrack is fine. Also, the most important thing to remember is that you have to be within the same network subnet as your victim or target, connected by a switch or wifi.

How to set up subterfuge

Once download is complete, open a terminal, navigate to the folder where subterfuge is, and type this. tar fvxz SubterfugePublicBeta5.0.tar.gz
This will extract all the files from the tar archive. Make sure the name is properly typed.

To install, type python –i
Once installed, goto any terminal and type subterfuge
  1. Now, open Firefox or any web browser and goto
    You will see the subterfuge interface. Click on the Start button on the top right. Now you have to wait for it to gather the passwords.
  2. The captured usernames and passwords will appear like this-

The usernames and passwords have been blurred out because these are actual credentials from my college wifi.

As you can see, subterfuge is an excellent (though not perfect) tool. It will easily capture the network and plain-text passwords, but when it comes to HTTPS, users will get a warning which says “Server Certificate Error, Proceed at your own risk”. People almost always ignore this warning and when they do, their passwords get captured. There is a lesson to be learnt here regarding HTTPS.

Cain&Abel can also perform the same task as subterfuge, but Cain is a bit old now, and doesn't harvest passwords properly on its own.
Please note that hacking is illegal.  If you do this within your organisation in any capacity, it is most certainly illegal. So, make sure you don't get caught. Smart hackers don't get caught, script kiddies do.

1 comment:

  1. I always spent my half an hour to read this web site's content
    everyday along with a mug of coffee.