Comments on: Metasploit Site Hijacked by ARP Poisoning Attack

By: china

china — Sun, 15 Jun 2008 01:42:44 +0000

sunwear is a chinese hacker

By: 1337ullus

1337ullus — Mon, 09 Jun 2008 18:58:10 +0000

Actually, they owned the ARP entry that resolv to metasploit websites IP.

I would say that you must not trust binaries that have been downloaded during the attack and you should check hashes now.
If they owned the ARP entry, they could have mirrored the website, and compromised binaries.

Also setting static ARP in hist host might not be a solution, as the entry must be statically set in the ISP router to be really trusted…

Regards

By: Bogwitch

Bogwitch — Mon, 09 Jun 2008 08:07:52 +0000

Razta,

What ARP does is handle the IP to MAC address mappings. What would appear to have happened in this case is:

A host on the same subnet was compromised. That host was then used to send out ARP poisoning packets. The way the ARP poisoning packets work is to tell the switch that the servers are connected to that IP address w.x.y.z can be found at MAC address pp.qq.rr.ss.tt.uu.vv rather than the actual MAC address relating to that IP address. The switch then sends the packets destined for the original IP address to new MAC address and onto the compromised server which in this case, was set up to respond. Since MAC addresses are only used on the Ethernet segment and not routed across the Internet, it would have to be a host on the same Ethernet segment that was compromised.

So, Metasploit servers were not compromised in ANY way, no passwords sniffed (as far as we are aware). The DNS was not affected in any way, that’s a different type of address resolution protocol.

By: Navin

Navin — Sun, 08 Jun 2008 09:09:48 +0000

@ razta, I guess so, esp. considering tht the metasploit.com servers were not compromised at all!!

for a nice article on ARP poisoning:
http://www.watchguard.com/infocenter/editorial/135324.asp

By: razta

razta — Sat, 07 Jun 2008 14:06:33 +0000

What excly did they do? ARP posison the network to sniff the username and password of the DNS server and then change the DNS settings?

By: Navin

Navin — Sat, 07 Jun 2008 05:47:59 +0000

sunwear?? sounds like a bikini collection

By: Pantagruel

Pantagruel — Fri, 06 Jun 2008 11:14:26 +0000

@BMX guy

most likely because they where able to compromise a host on the same ISP/ subnet and the BBC website will most likely be on another subnet/ISP. I guess the necessary requirements to use ARP poisoning on a more public target (e.g. bbc.co.uk ) weren’t met.

By: BMX guy

BMX guy — Fri, 06 Jun 2008 09:16:38 +0000

But the fact is, why would anyone attack a community site, If they wanted the publicity they could as well have attacked the BBC website.

By: Pantagruel

Pantagruel — Fri, 06 Jun 2008 08:55:35 +0000

Mmm didn’t we discuss ARP poisoning some time ago on Darknet.
A very clear example of how ‘easy’ ARP poisoning will get the end user to a wrong website and only because of a compromised host at the same ISP on the same subnet.

By: Jinesh Doshi

Jinesh Doshi — Fri, 06 Jun 2008 05:57:13 +0000

Got scared for a moment.