Full Disclosure mailing list archives

Re: Metasploit - Hack ?

From: H D Moore <fdlist () digitaloffense net>
Date: Mon, 2 Jun 2008 13:06:11 -0500

Problem solved. Someone is ARP poisoning the IP address of the router on which the www.metasploit.com server resides. 
I hardcoded an ARP entry for the real router and that seems to solve the MITM issue. It doesn't help the other 250 
servers 
on that network, but thats an issue for the ISP to resolve. I included a traffic sample of the ARP poisoning below, if 
anyone
is interested:

13:04:38.967562 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:05:dc:0c:84:00
13:04:39.768055 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:40.397616 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:05:dc:0c:84:00
13:04:40.397686 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:40.397751 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:40.397819 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:40.397886 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:41.127384 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:41.127446 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:41.447854 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:41.447914 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:41.826560 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:42.768019 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:43.397341 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:05:dc:0c:84:00
13:04:43.397410 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:43.397476 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:43.397548 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:44.182397 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:44.182464 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:44.447680 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:44.447749 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:44.826588 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:45.768273 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:05:dc:0c:84:00
13:04:46.396933 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:46.397001 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:46.397066 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:47.174445 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:05:dc:0c:84:00
13:04:47.174514 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a
13:04:47.448530 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), length 60: arp reply 216.75.15.1 is-at 
00:15:f2:4b:cd:3a

On Monday 02 June 2008, Jacques Erasmus wrote:

Seems like the metasploit site has been hacked.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Metasploit - Hack ? Jacques Erasmus (Jun 02)
- Re: Metasploit - Hack ? H D Moore (Jun 02)
  - Re: Metasploit - Hack ? H D Moore (Jun 02)
  - Re: Metasploit - Hack ? n3td3v (Jun 04)
    - Re: Metasploit - Hack ? T Biehn (Jun 05)
    - Re: Metasploit - Hack ? Ureleet (Jun 11)
    - Re: Metasploit - Hack ? T Biehn (Jun 11)
- Re: Metasploit - Hack ? Paul Schmehl (Jun 02)