An attack this week targeting the Metasploit Website redirected visitors to a phony page proclaiming the hack -- but the hacking tool sites servers remained intact.
HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems, says the attack didnt actually touch the Metasploit servers themselves. The attacker or attackers instead infected another server on the same hosting provider network as Metasploit to execute a so-called Address Resolution Protocol (ARP) poisoning attack aimed at Metasploit.
[It was] just a funny hack, Moore says. I would think it was much cooler if they didn't have to own someone else to do it.
The attack was a man-in-the-middle exploit that ARP-spoofed the router to Metasploit. The fake router modified all of the traffic that went through it, including that of other servers on the hosting providers network. Visitors to Metasploit were sent to a Chinese page that said hacked by sunwear! just for fun and included a note about selling a zero-day exploit. Moore says although the attacker who took credit for the attack on the fake page was from China, theres no way to know for sure if that same attacker was the one who initially hacked the server which was used in the attack.
Moore first heard about a problem on Sunday evening while out of town at a conference, when someone contacted him to say they had seen an intermittent redirect on the Metasploit site. I checked out the server itself, verified it had not been compromised, and went to sleep, Moore says. The next day after delivering a keynote address at the conference, he got wind that there was officially a man-in-the middle attack underway.
So I headed upstairs, figured out it was an ARP spoof of the gateway, hard coded the MAC address of the real router, and called it done after sending out some quick emails, he says.
Moore says the Metasploit servers themselves have never to date been hacked. Still, he plans to add an ARP-alerting tool to the site, he says, as well as some other precautions. Using a tool like 'arpwatch will send alerts when the address changes, he says, although it wont help when theres a redirect-type attack further up the link chain.
If anything, the takeaway is that ARP spoofing is still very effective for networks with machines consisting of different levels of security, Moore says. The weakest link gets owned, then used to hijack traffic to the stronger servers.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.