 Hi, everyone. Welcome to Man in the Middle Made Easy. Today we're going to be talking to you about the sub-refuge attack framework. First, we're going to go into a little bit about what each of us did in this project. My name is Chris Shields, and I worked on a lot of the ARP attack tools and just the custom attack tools. A good chunk of my work was actually done debugging and ensuring that our new tool actually worked effectively against as many devices as possible. Besides that, I wrote my tools in Python and was often integrating Linux operating system command output using regex as back into our tool. Other than that, I kind of did the project management side of the house. So in terms of the direction, the priorities for the project, and just Google code site updating the issues and making sure that our latest ideas were up there. Right. So I'm Matt Toussaint. I did a little bit of the interface design and development, so you have me to blame for all the interface problems you're going to have. It's also a web front end, so I did a lot of work on making sure we had browser compatibility, making sure it worked well on both Firefox, Google Chrome, Safari, and I'm sorry for all you Internet Explorer users out there, but you're on your own. I'm also to blame for all the framework development, so all the pooling things together and making it something that's extensible, really easy to use and really easy to put different places. Right. So this is a quick overview of what we're going to talk about. I know a lot of you already know mandeminal attacks, especially ARP cache poisoning, which we're going to focus on a little bit. We're just going to do a really brief overview, so for those of you who don't know, you can fill in the blanks, for those of you who do know, maybe a little bit of a refresher, then we're going to get started on the framework. We're actually going to talk a little bit about how Sudderfuge splits off a mandeminal attack into two big different parts, a little bit of a dichotomy of the attack, the getting man in the middle portion, and then the actually leveraging that position to do something worthwhile. And Sudderfuge abstracts those. Then we're going to do a little bit of demonstration, jump right in, give a little example of how it works, how easy it is to use it, and then we're also going to talk a little bit about countermeasures. So now that you know how dangerous the network is and how easy it is for really anybody to do it, a little couple ways to look out, to know when you're being exploited and to keep yourself from being owned. Then we're going to talk a little bit about future work, just because Sudderfuge is still a live project, it's still in beta right now, and where we're going to extend it in the future and what it's going to really become. So before we go into the talk about the basic man in the middle attack process, we just want you to keep in mind that we are talking about arping and not larping. So anyway, here we have the anatomy of the attack. We have, this is a basic network poison diagram, and so the clients on the right hand side, they're the users, soon to be victims. They're sitting there, they're doing whatever they're doing on the network, and in comes an attacker. He happens to be using Sudderfuge. Now as soon as he activates Sudderfuge, using the ARP vulnerability that we're going to talk about, it pretty much gets on the network and it tells all the different devices, hey, I'm the router, so you can send all of your stuff to me now. And due to the inherently trusting nature of the ARP protocol, everyone says, sure, okay, why not? You're a good guy, right? And so that's where the problem all starts. And so once you have that man in the middle position, when everyone says, okay, I'm going to route the traffic through you, you know, when you're in that spot, there's a multitude of different attacks that you can do. You can sit and monitor traffic, you can see credentials as they're going through. You can actually modify and slap on some extra funness on their information as it's going from the actual legitimate source to the end user. Or you can just add some, you know, fun little exploits in their webpage which actually owns their boxes and gives you back shells. So as you can see, it's a pretty devastating position to be in. And this is the vulnerability which has been out there for quite a long time now. We're going to go kind of high speed at this because it's not a new attack and we don't want to bore anyone who really knows about ARP. But this is an example of a poison packet that Subrefuge sends out. So at the top arrow where it says broadcast, it's being sent to the broadcast MAC address. So that's just saying every single device in the network is going to receive this packet. Then below that is the attacker's MAC address. Now below in the address resolution protocol, the ARP reply area, you can see that the router's IP address is actually spoofed in here. So this is where the magic is. This packet's going to go out and say, hey, I'm really from the router, but this is my MAC address. So it actually updates all of the ARP tables on the victim's client machines and says that the attacking machine is now the router. So the problem is when ARP goes to broadcast, everybody on there, so all the computers connected to the network are going to see that packet and go, oh, this is for me. It's an ARP packet and it says, hey, here's the MAC address to the router. And since I want internet, I'm going to go ahead and update my table so that I can continue to have internet. The problem is that there's really no accountability and we just automatically trust ARP, which as we all know is not necessarily a good thing to do anything. Right. So moving on, as you can see here, we've got a Windows 7 machine just displaying its ARP tables. And we've got the same MAC address that's associated with two different IP addresses. And that's because that ARP packet got sent out. This Windows 7 machine adjusted its ARP table and now it's routing any traffic to either those IP addresses to the same MAC address, which is the hackers computer. Beneath that, we've got a trace route from a MAC OSX Lion machine. And as you can see, it's now routing its traffic through the hackers machine, 192.168.1.119, instead of the router. And the attackers machine is forwarding it onto the router. It becomes transparent because the attackers machine fords that traffic on, takes the response and sends that back so that the victim can never really tell, at least not easily, that he's been victimized. Right. So the project and our motivation. We always get asked, why did you do this? What's your motivation for the project? Don't you know this is a bad thing and you're evil? So, you know, in answering that, I like to start with talking a little about history. A fellow named Doug Song over 12 years ago released a toolkit called DSNF. In that toolkit was a program called ARP Spoof. And what ARP Spoof did was, you know, ARP cache poison network, make the computer man in the middle and the point was to demonstrate exactly how vulnerable people on a local network were. And then hopefully, you know, bring about some kind of fix or at least some kind of awareness. Here we are 12 years later and your average consumer router, still vulnerable to the exact same attack, archaic, nothing special. So we thought we'd go ahead and bow it a little bit different of a way. So subterfuge, it makes it obvious to anybody, no matter how tech-savvy or non-tech-savvy you are, just how vulnerable on the network you are and exactly what you're getting. So rather than just, oh, somebody's man in the middle, he's seeing my traffic, what does that mean? We actually display, you know, here's what you got, here's something else you got and, you know, there's a real risk and here's the threat. So hopefully that's going to make consumers demand some kind of protection in their routers. And those protections do exist. Router companies just haven't given them out to consumer level routers. So hopefully when consumers start demanding that, router companies like Belkin and Cisco and, um, what? Got them. It says Nick here, I don't know what you're talking about. So anyway, about four months ago we took subterfuge and we decided to put it online. We put it on Google code and it was really just to help us code better and, you know, project management side of the house, just keep track of everything. And since we did that, there have been a slowly growing community that I've actually stumbled upon our site and our project. And the response has been pretty positive so far. So we've been, you know, continuing to program and keep this project alive. We've already had, you know, thousands of people download the code and our white paper. We've had thousands of people view videos on it, et cetera. And apparently our wallpaper is even cool enough that hundreds of people have downloaded that. So I'm not quite sure about that. We've also had people from the community contribute small portions of code, volunteer to be hardcore beta testers. And just recently we actually were approached by Backbox Linux because they wanted to include our tool into their security distribution. So now let's actually talk about subterfuge. So subterfuge has a couple improvements over most mandamental tool you see out there. The first and foremost is that it's got a very intuitive interface that's extremely easy to use. For instance, whenever I'm trying to use cane, yeah, I know, right? Cain. Whenever I'm using cane, I can never find the button to pull up that menu to do that thing I'm trying to do that one time. It's just, it's just busy. Subterfuge is not that. So subterfuge is there to demonstrate the vulnerability, to exploit the vulnerability and, you know, to get what you're trying to get and know if ands or buts about it. It's also a very point shoot. There's a start button in the right hand corner. You click the start button. It asks you if you want it to do everything for you. You hit okay and you're on. It's also really silent and subversive. Unlike most mandamental tools where it's spamming, just it's spamming ARP, particularly for ARP cash poisoning tools, subterfuge actually has a couple innovations, if you will, that we're going to talk about in a little bit when it comes to poisoning a network that really allow it to be a lot more silent. A couple of the things that we've integrated into subterfuge, we'll also talk about just a little bit, let us subvert the user and make it really transparent and very hard for the victim to actually realize that they're being exploited. And finally, best, subterfuge is open source. So if, you know, there's this mandamental tool and you want to do a mandamental attack, but it's not doing it quite the way you want it to, subterfuge is written in Python. So actually editing there, editing that, building a little bit of an addition to it is very simple, very easy, and you can see everything that it does. So let's talk about the framework. This is really what makes subterfuge a bit different than most mandamental attack tools. It's got a server client architecture, which means that you can actually collaborate with this. Most of the time when you're having a mandamental attack, you know, you've got one person who can do it, because there can't ever be two men in the middle, that's kind of difficult. If you try that, the network is going to go down, nobody's going to get traffic, and you know, your idea of transparency, completely gone, nixed by the fact that you've got two people struggling to be that man in the middle, and the network just can't handle it. So with subterfuge, there's one person who's doing that man in the middle, that's the subterfuge server, and you've got clients who can connect to that server and they can all use it at the same time. We also went ahead and split apart the two pieces of a mandamental attack. You've got your actual attack, so your exploit on the network, where you get your mandamental position and then you actually leverage that attack to do something, right? So if we get this position, then what do we do with it? And if you're a developer, you can get the mandamental position or come up with a new network exploit, and you can integrate that into the subterfuge without having to actually build the backbone to do something with that attack every single time you come up with a new attack. We also have a lot of configuration options, which means that if you're coming up with a new attack that really needs to have a little bit of nitpicky man in the middle positioning, you can go ahead and configure and set that all up yourself, and we'll get a little bit more into that in the demo when we actually touch on it. All right, so I'm gonna go through a comparison of just some of the other tools that are used for a man in the middle attacks right now, and then we're also gonna touch on what's new and different with subterfuge. So other tools, you know, we already touched on it, are spewing out our packets all the time. If you're on a network that's being poised and you could pull up Wireshark and actually watch the sheer number of ARPs coming through and see, hey, this is probably, you know, a man in the middle attack. The other thing is there's some unacceptable periods of middle loss, where just due to basic traffic, clients will lose that man in the middle position, and the attacker will not be able to do anything. And in general, a lot of these tools actually, after running for even a short period of time, can just completely overload the network and make it crash, and that completely goes away from your stealth and transparency, because obviously no internet, they're gonna start complaining. So subterfuge, Python, it's open source. That's a pro. The other thing is it also has what we like to call intelligent poisoning and dynamic poison retention. Now, intelligent poisoning is what allows you to change the throttle of how fast the ARP poison packets are coming out. Now, on that threshold, there's only one packet being sent out. So instead of constantly doing ARP scans, seeing who's there sending out poison packets, or just spamming every single IP address, it's intelligent in that it sends out one packet on a certain threshold, and that's it. Now, dynamic poison retention is really unique to subterfuge, where it actually listens for those basic ARP communications between the router and the clients or the clients on the router that would typically make you lose that man-in-the-middle situation. So there's often times that Windows, for example, when it first turns on and connects to the internet, even if its ARP cache is full, it'll say, hey, router, where are you again? You know, just checking. Now, that would normally make you lose the man-in-the-middle position if you were a attacker, because that communication, the router would say, here I am, and the client would be like, oh, there's the real router. But now, subterfuge actually monitors the network, listens for those types of communications, and is instantly right there. So the second that router is sending the response, subterfuge has already sent out a packet and is saying no. Please remind them kindly who the real router is. And then we also have what's called ARP block. When you're in that man-in-the-middle position, we use ARP block to prevent any kind of communication from the router to the client. So it forces all of the clients and now victims to communicate directly through us, and the router can't come in and kind of steal the show. So it just prevents once it's in that man-in-the-middle position, it kind of, you're in charge, and so we can say, you know, what our packets go back and forth. Right. So something else we actually used, a big backbone component of subterfuge is SSL strip. So Moxie Maron Spike at Black Hat in 2009 released SSL strip, and it runs in HTTPS downgrade attack. So when we first came across SSL strip and started looking into the code, we almost felt like we died and went to heaven because it's written in Python for one. For two, it also acts a little bit like an intercepting proxy. So we went ahead and customized it to actually use those features to log basically everything. Because really everything that goes through the network has some kind of use to us as, you know, the man-in-the-middle, or the attacker, or the penetration tester. So that traffic is now all routed through the intercepting proxy and logged in subterfuges database. Now after we log it, well, when it's coming back through, we can pretty much do anything we want to it, right? So we figured here's a great place to start injecting things or modifying traffic on the fly. We do that through something we like to, or through a little bit of a smart injection. So, you know, you browse to yahoo.com. That site's freaking ridiculous. You go there and it pulls in 20 external sites every time you go just because it's got so many news articles. Well, if you were just slapping on an injection to every single site that you went to, when somebody browsed to somewhere like yahoo.com, you'd inject that site 20 times. So with smart injection, it knows when that's happening and only injected once. And it also lets you really control the rapidity of your injection, especially if you're looking for very specific modifications to somebody's browsing session. Here are some of the plugins that we're going to briefly talk about. We actually have three of these up here we have demonstrations of, so I'm going to only talk briefly about them. But the credential harvester is the main module or plugin in subterfuge and what it does is it uses all the backend tools, the art poisoning tool that we wrote, it uses SSL strip, puts it all together in one spot, configures it without bothering you or you having to do any kind of text file editing and just works. And so what happens is you click start and it'll start intercepting any kind of web login traffic. Code injection is actually, we're able to intercept the traffic as it's going between the legitimate source and the host and we're able to slap something on in the end. And we'll talk more about what you can do with that. Now, denial of service for you anonymous types, if you just love everything to do with DOS and you just are so excited, we made one of those too. Denial of service, there's many different uses of it and an ARP denial of service attack is very effective as we found in development. There are constantly times where we were developing this, something went wrong and I had a really fast internet connection and he didn't have any. Denial of service, you could use it for multiple different things. You can just say, I don't want this individual to have internet or I really need to use all the internet right now. I'm sorry everyone, go sit in the corner because I'm going to use all of it. Yeah. Then another plug-in tunnel block actually is brought up in the development of subrefuge. A friend of mine, a fellow computer scientist, he said, well, even if you have the man in the middle, if I have a VPN or some other kind of tunneling encryption protocol, you're not going to see what I'm doing, right? I said, hmm, well, if I'm in the middle, I can do whatever I want. So with tunnel block, the module, all it does is it blocks the standard protocols and tunneling services on the standard ports. So PPTP, Cisco VPN, L2TP, OpenVPN, SSH, all that stuff. If you want to, you can enable it. So by default, those things will be blocked. So you can even have an intelligent user on a public Wi-Fi saying, I'm going to be secure. I'm going to log into my VPN. When they pull up their VPN, hit connect. Because I'm man in the middle, I'm dropping all those packets. So it will just hang. They'll never connect. And they're probably busy, so they're going to continue on their way regardless. And we're also going to actually have a demonstration of network view. It's a really unique feature to subrefuge. It's a whole new way of visualizing the attack as it's happening. It's a dynamic view that updates and lets you visually see the network as you're attacking and who exactly you're man in the middle. So here is the demonstration of the credential harvesting module. So as you see, when you start subrefuge, it's pretty simple. Up in the upper right-hand corner, there's a start button. When you click it, it's going to say, hey, do you want us to do all that work for you? And you're going to be like, sure. So it's going to go and get the network adapters, IP addresses, all those things. You're going to be like, okay, cool, that's awesome. So I'm just going to click okay. I click start, now I'm clicking okay. Here it goes. It's off. Now in the background, it's using SSL strip, all these other things, and everyone's getting poisoned in the background. Now these people, unfortunate people, you know, Facebook, eBay, Amazon, LinkedIn, they're all visiting the site thinking that they're secure and here's their plain text password. Now I don't think we could demonstrate an easier way of seeing how vulnerable people are to these attacks than this easy to understand interface. I mean, you got the source, the username, the password, the date and time when it happened. Clear code right there. You can see just how devastating it is because there's everyone's passwords. And that's kind of one of the big things that we want to demonstrate. We also got the opportunity to just give a little bit of a demonstration of subterfuge at the undergraduate level before coming here. And we just pulled this specific piece up, let those undergraduate students who weren't necessarily computer science majors just get a look at this, see that they could click the start button, click them. And that really opened their eyes and kind of did what we built subterfuge to do, to make it really obvious no matter how technical, tech-savvy you are or how tech-savvy you are not, just how easy it is to get your credentials. And I don't think they'll be doing their banking on Chase anytime soon. Right, so subterfuge just more than just the harvest credentials. We built that, we built subterfuge around credential harvesting specifically because we thought it was the way you were every time you did anything online. But subterfuge is a framework, which means we want it to be able to do just about anything. So here at the plug-in menu, if you were to click on credential harvester, you just give it a short description on the right-hand side of what the credential harvester does. If we click apply, it will take us there. In this case, we're going to go ahead and click on HTTP code injection and look at that top right-hand corner, gives a short description of what subterfuge is integrated directly with metasploit. So we can use browser auto-pone to inject people if we'd like to. Or we can inject them with our own custom special sauce. So if we were to pick metasploit, we could go down to payload and pick the type of injection that it would do. We could do iframe injection, which is hidden and the user wouldn't actually experience or see or the victim, excuse me, wouldn't actually experience or see anything. There's also window redirection and we could also pop up really an exploit in the pop-up. This is really good because not all browsers like it. So if we pick custom injection here, we can go ahead and type in anything that we want slapped onto the bottom of anybody's page. In this case, just to demonstrate, we're going to do a real quick script tag. It's just going to inject an alert that says osmosis was here into the victim's browsing session. It's as simple as just typing out whatever you want to have added and clicking apply and now it's being injected. So now the next person who's been man in the middle on the network to browse to anything is going to receive that injection. So here we've got a victim running Windows XP. Lord knows why. Also with the Google Chrome browser, he's just going to browse to Google.com and now he's got our little special sauce, a little nugget of joy. It says the page at Google.com says osmosis was here. This is actually a really good way of demonstrating another little tidbit about what makes man in the middle attacks and the man in the middle position so powerful because the user sees the page at Google.com said this. Because it's coming through us before it reaches them, we can pretty much make anything we can possibly think of look like it came from whatever the source was. So I can send them anything I want to and they think it came from Google.com. So this is the network view. This is really what makes Subterfuge a little bit unique. It's a whole new way of interacting with a man in the middle position. Every single person who comes up here, so for instance we just got a client 1921681.19 is man in the middle. So that means that all of their traffic is being routed and displayed to people that we have victimized. And it is also integrated directly with Metasploit. So if you hit the scan button it will automatically do a Metasploit, or excuse me, not Metasploit, endmap. If you hit the scan button it will automatically do an endmap host identification scan and pull in that information and put it to Subterfuge's database. It will then automatically upload or reload the specific pieces of the page to keep it up to date. So now we can see we can tell what open ports there are so we might be able to derive what kind of services they're running. The network view really just gives us a really quick and easy way to see everything that's going on in the network. Everybody who we've got doing anything on the internet through us. And it also lets us control that. So here we're actually going to interact with HTTP code injection through the network view. If we go ahead and click that and we check the running box then everybody on the network is now being used with Metasploit so we can pick the vector as browser auto-pwn and our payload. In this case we're going to go ahead and use iframe injection simply because iframe injection is just really transparent and works really well. Some browsers don't like it which is why we have other options but that's what we'll go ahead and do. Now if we just hit apply it starts it up. So that runs a Metasploit script which is run dynamically through Subterfuge. It will grab your IP address and start injecting that in a hidden iframe into users browsing sessions. So that there we go we got somebody who browsed on the internet anywhere and that's running a payload through Metasploit trying to exploit into that victim's browser. And we just got a session. In this case it was a session that was generated on Windows 7 box running the Google Chrome browser and since Metasploit stays very well updated and browser auto-pwn is run through directly through Metasploit you can also guarantee that this attack is going to stay applicable and that you're going to continue to be using the latest exploits that are in Metasploit's database as long as you update Metasploit. So this really just demonstrates a new way to interact with the man in the middle position, a new way to really control the network and to own peeps. Right. So it's a framework, right? And it does some things now but what if you came up with your own little network exploit or a plug-in to actually do something with that, you know position. Well what do you do, right? You could build your whole own tool that just gets man in the middle, uses man in the middle to do whatever cool thing it is you came up with and you know it's got whatever interface you also built for it. But with Subterfuge you can actually go ahead and build any program you'd like in Python and you can use the Subterfuge module builder to generate everything else for you. So if it's a network exploit you can use that or if it's a way to leverage a man in the middle of the module builder and configure it. Subterfuge will automatically generate you all the graphical user interface code that you need rather than having to do any of that yourself rather than having to touch nasty JavaScript and it can be really nasty especially if you want to have really good graphical user interface interactions that happen, you know statefully on a stateless protocol Subterfuge will go ahead and do all of that for you. And finally we've also got our settings. Subterfuge will attack a tool for the most part settings are done through configuration files or at the very least they tend to be a pain in the rear and if you do something wrong everything just doesn't work and you can bring down the network and if you're doing a penetration test that's just unacceptable. You can't really ever bring down some corporations network when they brought you in just a test to see if it was secure. I mean it's a database and reload to display to the hacker how new the data is which is really important especially with server client architecture for instance if you're running old routing equipment that can't really handle too much traffic and you're collaborating with 10 people at the same time through one Subterfuge server and you use the default and you're refreshing that every single second then all of that old system might not really like it too much with Subterfuge you can go ahead and control that you can dial it up you can dial it down really the sky's the limit and the same thing is true of injection rates so if I'm injecting say a Metasploit a link to Metasploit into a browser so I'm owning them with Metasploit well you know we had the other talk earlier who had 1400 shells something ridiculous if I want and then it gives me the chance to get my shell turn HB code injection off and remain as transparent on the network as possible it also allows us to control really how the art poison works though through dynamic poison retention that might mean that we want to dial down or it means certainly that we can dial down how often we send arts on the network without actually losing the poison so we might want to check really silent on the network with subterfuge it's really easy to do okay so now we talked a lot about subterfuge and in the end we really want the router companies to be fixing this at the consumer product level but let's talk about some of the countermeasures and how you can protect yourself in the meantime I'm just going to go in a quick explanation of a quick fix that I thought of that I'm calling gateway self aware of its own network adapters like if it knows its own LAN MAC address and its own LAN IP address that can prevent all these attacks from happening because the router is what sends all the packets around so if a router gets a packet that says hey this is the router's IP address but that's not my MAC address it drops the packet the attack is thwarted it would never go through protection there's enterprise level protections obviously with DHCP snooping and Cisco magic and they can bring that down to consumer level too but I think that it should be demanded by the consumers that they be protected from this at polar cot spots or other just consumer routers but in the meantime I'm going to go over some of the things that we found through our development and one thing that we saw was just the way it organizes how it displays a webpage so with Google Chrome the favicon is displayed the favicon of the website is actually displayed on the top of the tab now SSL strip has this really nasty feature where you can inject a lock icon into someone who's had that HTTPS downgrade attack so if you're browsing somewhere and that lock will show up which will be a further way that people be like okay I'm secure I'm going to keep going however with Chrome there's a specific icon built into the browser that says I'm secure or I'm not secure and that's what's next to the URL and the favicon is on the top so it's just easy to see the other thing is the handshake because that would set up some certificate errors it wouldn't be as stealthy and transparent to the users that's not what we wanted so if you ever look at the URL bar it actually will always say HTTP the only way SSL strip works is it banks on you saying I'm going to www.google or facebook.com not typing HTTPS colon slash slash so you're safe that way but even if you're just browsing clicking on links because SSL strip goes through pages and takes the S out of all the links if you're just browsing if you look up and you don't see an S you're not secure so always look for that S just recently we actually had the idea and I built a proof of concept program that can actually only it's written in Python and like I said it's a proof concept but you connect to a network you run this thing and it'll sit there and if there's ever an attacker it will pop up and tell you and all it does is it compares the ARP tables and make sure there aren't two IP addresses mapping the same connection and tunneling protocol that's obviously going to help you too so those are just a couple of things that you can do to help yourself out excuse me so we're also looking at future work Subrefuge is still in beta and it's a work in progress can you do yours too first time excuse me I'm going to skip down to mine I'm doing collaboration support one of the server client architecture so we really just wanted to work on the conflict resolution and make it more usable in a collaborative environment and one idea we were actually given was to have Subrefuge as a payload delivery for a Metasploit payload there's something in the future like that we talked a much about trying to figure out future work but pretty much man in the middle attacks right now do it so we're thinking about somehow packaging up Subrefuge as a remote deployable tool so that you can own a box on a foreign remote network have a pivot deploy a Subrefuge server and start man in the middle of a foreign and remote network without having to be there and we thought that would be pretty devastating in terms of penetration testing and what kind we're looking at Subrefuge is a future project it's still in beta and we're really working on what Subrefuge is going to be rather than what it just is right now and that really includes other mechanisms of gaining a man in the middle position as well as other ways to use it for instance we're looking at other ways to get a man in the middle position exploiting DHCP race conditions in order to this would do something kind of like what karma tends to do where it would start up a Wi-Fi server or excuse me a Wi-Fi access point as Subrefuge and Subrefuge would go ahead and do this for you so if we go to say the Las Vegas airport over here we'd see free public Wi-Fi it's everywhere and it's always real always but aside from that we'd also find people who actually think that it's secure is just absolutely astounding so Subrefuge would then be able to set up an access point like this for you you'd basically type in the name of the access point that you wanted and people would connect to it you're not really exploiting anything except for the fact that people just think they're secure when they really should know better but it's another mechanism gaining man in the middle Subrefuge and still use everything else without having to redo anything we're also looking at different ways to actually excise said position for instance two years ago so I think Defcon 2010 there was a tool released called Evil Grade and if you've got a man in the middle position it'll go ahead and pretend that there are updates for any given application out there used to that so they're going to click install updates if Subrefuge is man in the middle and Evil Grade plug-in is running you'd be able to iTunes would go out and it would look for a new update Evil Grade would say hey, here's one and it would automatically give it to you and that all within Subrefuge's interface which is really an idea or an example of how extensible Subrefuge tends to be because it's there you can use the GUI you can use the mechanisms of gaining man in the middle and you can use really everything else we're also looking at OS compatibility because Subrefuge is really supposed to be a tool that spreads awareness about how bad the threat and the risk of somebody being man in the middle to you is we're but the point is we'll be able to extend it and port it to different applications so that consumers of routers who really don't necessarily know how vulnerable they are will have the ability to really see it everywhere or even pull it down themselves before they go out and buy a router and really realize how bad things really can be so in summary so far we've learned that apparently my co-developer was a little bit about man in the middle attacks just our framework getting versus leveraging our position and just that split we had a couple demonstrations and talked about the counter measures to keep yourself safe in the meantime and we also talked about our future work so here's a link to our site where you can get the code we just wanted to thank you guys all