Metasploit Hacking Tool Site Hacked But Not 'Owned'

Man-in-the middle attack redirects visitors to hacker's page

An attack this week targeting the Metasploit Website redirected visitors to a phony page proclaiming the hack -- but the hacking tool site’s servers remained intact.

HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems, says the attack didn’t actually touch the Metasploit servers themselves. The attacker or attackers instead infected another server on the same hosting provider network as Metasploit to execute a so-called Address Resolution Protocol (ARP) poisoning attack aimed at Metasploit.

“[It was] just a funny hack,” Moore says. “I would think it was much cooler if they didn't have to own someone else to do it.”

The attack was a man-in-the-middle exploit that ARP-spoofed the router to Metasploit. The fake router modified all of the traffic that went through it, including that of other servers on the hosting provider’s network. Visitors to Metasploit were sent to a Chinese page that said “hacked by sunwear! just for fun” and included a note about selling a zero-day exploit. Moore says although the attacker who took credit for the attack on the fake page was from China, there’s no way to know for sure if that same attacker was the one who initially hacked the server which was used in the attack.

Moore first heard about a problem on Sunday evening while out of town at a conference, when someone contacted him to say they had seen an intermittent redirect on the Metasploit site. “I checked out the server itself, verified it had not been compromised, and went to sleep,” Moore says. The next day after delivering a keynote address at the conference, he got wind that there was officially a man-in-the middle attack underway.

“So I headed upstairs, figured out it was an ARP spoof of the gateway, hard coded the MAC address of the real router, and called it done after sending out some quick emails,” he says.

Moore says the Metasploit servers themselves have never to date been hacked. Still, he plans to add an ARP-alerting tool to the site, he says, as well as some other precautions. “Using a tool like 'arpwatch’… will send alerts when the address changes,” he says, although it won’t help when there’s a redirect-type attack further up the link chain.

“If anything, the takeaway is that ARP spoofing is still very effective for networks with machines consisting of different levels of security,” Moore says. “The weakest link gets owned, then used to hijack traffic to the stronger servers.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights