Metasploit Site Hijacked by ARP Poisoning Attack

The New Acunetix V12 Engine


Crackers briefly hijacked hacking tools website Metasploit.com on Monday.

Metasploit is an advanced open-source exploit development platform used by most pen-testers. A tool we often mention here on Darknet.

On Monday the site was redirected to a page announcing the site was “hacked by sunwear ! just for fun“, as recorded by Sunbelt Software.

Unidentified miscreants used an ARP poisoning attack aimed at the network of Metasploit’s hosting provider in order to pull off the hack. The Metasploit project was quickly restored. H D Moore, the creator of the project, explained what happened in response to online reports of the hack.

“Another customer on the same ISP was compromised and used to ARP poison all servers in that subnet. I corrected the problem by setting a static ARP entry and notifying the ISP. To make it very clear – the metasploit.com servers were not compromised, nor have been to this date,” he said

So don’t worry, the Metasploit packages are safe as the server was NOT compromised it was a network level attack and a redirect rather than an actual intrusion.

Source: The Register

Posted in: Networking Hacking, Web Hacking

, , ,


Latest Posts:


Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.


10 Responses to Metasploit Site Hijacked by ARP Poisoning Attack

  1. Jinesh Doshi June 6, 2008 at 5:57 am #

    Got scared for a moment.

  2. Pantagruel June 6, 2008 at 8:55 am #

    Mmm didn’t we discuss ARP poisoning some time ago on Darknet.
    A very clear example of how ‘easy’ ARP poisoning will get the end user to a wrong website and only because of a compromised host at the same ISP on the same subnet.

  3. BMX guy June 6, 2008 at 9:16 am #

    But the fact is, why would anyone attack a community site, If they wanted the publicity they could as well have attacked the BBC website.

  4. Pantagruel June 6, 2008 at 11:14 am #

    @BMX guy

    most likely because they where able to compromise a host on the same ISP/ subnet and the BBC website will most likely be on another subnet/ISP. I guess the necessary requirements to use ARP poisoning on a more public target (e.g. bbc.co.uk ) weren’t met.

  5. Navin June 7, 2008 at 5:47 am #

    sunwear?? sounds like a bikini collection

  6. razta June 7, 2008 at 2:06 pm #

    What excly did they do? ARP posison the network to sniff the username and password of the DNS server and then change the DNS settings?

  7. Navin June 8, 2008 at 9:09 am #

    @ razta, I guess so, esp. considering tht the metasploit.com servers were not compromised at all!!

    for a nice article on ARP poisoning:
    http://www.watchguard.com/infocenter/editorial/135324.asp

  8. Bogwitch June 9, 2008 at 8:07 am #

    Razta,

    What ARP does is handle the IP to MAC address mappings. What would appear to have happened in this case is:

    A host on the same subnet was compromised. That host was then used to send out ARP poisoning packets. The way the ARP poisoning packets work is to tell the switch that the servers are connected to that IP address w.x.y.z can be found at MAC address pp.qq.rr.ss.tt.uu.vv rather than the actual MAC address relating to that IP address. The switch then sends the packets destined for the original IP address to new MAC address and onto the compromised server which in this case, was set up to respond. Since MAC addresses are only used on the Ethernet segment and not routed across the Internet, it would have to be a host on the same Ethernet segment that was compromised.

    So, Metasploit servers were not compromised in ANY way, no passwords sniffed (as far as we are aware). The DNS was not affected in any way, that’s a different type of address resolution protocol.

  9. 1337ullus June 9, 2008 at 6:58 pm #

    Actually, they owned the ARP entry that resolv to metasploit websites IP.

    I would say that you must not trust binaries that have been downloaded during the attack and you should check hashes now.
    If they owned the ARP entry, they could have mirrored the website, and compromised binaries.

    Also setting static ARP in hist host might not be a solution, as the entry must be statically set in the ISP router to be really trusted…

    Regards

  10. china June 15, 2008 at 1:42 am #

    sunwear is a chinese hacker