Hacking with Subterfuge to Capture Passwords
Posted by Unknown on 13:24 with No comments
Hacking with Subterfuge to Capture Passwords
Subterfuge is a simple and easy to use
tool in Linux. It performs man-in-the-middle attacks and sniffs
passwords off the network. When I say password, it can mean Network
proxy password, Firewall user authentication passwords, plain-text
password of websites, even https websites like Facebook and Gmail.
Subterfuge has sslstrip (a ssl hacking tool) inbuilt. That means it
will also capture the passwords of websites using HTTPS.
Now, lets say you want to 'hack'the Facebook passwords of some people. You can use subterfuge to capture
their passwords. This can also be necessary in a real life pen-test
scenario. User credentials make it a lot easier to break in to
organisations.
You need to have a Linux computer for
this. It doesn't work on Windows, as of now. Ubuntu or Backtrack is fine. Also, the most important
thing to remember is that you have to be within the same network subnet as your victim or target,
connected by a switch or wifi.
How to set up subterfuge
Download subterfuge from
http://code.google.com/p/subterfuge/downloads/list
Once download is complete, open a
terminal, navigate to the folder where subterfuge is, and type this.
tar
fvxz SubterfugePublicBeta5.0.tar.gz
This will extract all the files from
the tar archive. Make sure the name is properly typed.
To install, type python
install.py –i
Once installed, goto any terminal and
type subterfuge
- Now, open Firefox or any web browser and goto 127.0.0.1You will see the subterfuge interface. Click on the Start button on the top right. Now you have to wait for it to gather the passwords.
- The captured usernames and passwords will appear like this-
The usernames and passwords have been
blurred out because these are actual credentials from my college
wifi.
As you can see, subterfuge is an
excellent (though not perfect) tool. It will easily capture the
network and plain-text passwords, but when it comes to HTTPS, users
will get a warning which says “Server Certificate Error, Proceed at
your own risk”. People almost always ignore this warning and when
they do, their passwords get captured. There is a lesson to be
learnt here regarding HTTPS.
Cain&Abel can also perform the same
task as subterfuge, but Cain is a bit old now, and doesn't harvest
passwords properly on its own.
Please note that hacking is illegal.
If you do this within your organisation in any capacity, it is most
certainly illegal. So, make sure you don't get caught. Smart hackers don't get caught, script kiddies do.
Categories: Hacking, Networking
0 comments:
Post a Comment