Tuesday, June 03, 2008

Old School Layer 2 Hacking

When I designed my TCP/IP Weapons School class my intent was to teach TCP/IP at an advanced level using traffic generated by security tools. I thought the standard approach of showing all normal traffic was boring. Sometimes students (or those on the sidelines) wonder why I should bother teaching a technique like ARP spoofing at all, when layer 7 attacks are what the cool kids are doing these days. One answer is below.

Ref: Sunbelt Blog

How could this happen? It turns out it wasn't the fault of the Metasploit Project. Rather, a server in the same VLAN as the Metasploit Project was compromised and used to ARP spoof the gateway of the Metasploit Project Web site. See Full Disclosure: Re: Metasploit - Hack ? and this for details.

HD Moore responded to the incident by adding the proper MAC address for his Web hoster's gateway as a static entry to his ARP cache.

This is a great example of a cloud security problem. You host your content at a third party, and you rely upon that third party -- and potentially other customers of that third party -- to implement adequate security. In this case, at least one other customer was vulnerable, and the Web hosting company didn't take adequate measures to protect its switching infrastructure. Of course the intruder who ran the ARP spoofing attack is really at fault, but this event demonstrates the trade-off associated with relying upon third parties.

Incidentally, this marks the third event of "modern history" involving ARP spoofing I've documented here. Earlier incidents included Freenode admin credentials and injecting malicious IFRAMEs at another Web hosting provider.

If you're interested in my Black Hat class, we increased the seat count to 80 per class (instead of 60). Registration is still open.

4 comments:

Michelle Montianto said...

is hacking illegal?

Roland Dobbins said...

Whoever is responsible for the switching infrastructure should implement the various layer-2 security mechanisms which are available on modern switches, such as port, pVLANs, IP Source Guard/DHCP Snooping (works for static addresses, too) in order to mitigate the risk of attacks of this type being successfully launched. Proper instrumentation and telemetry collection/analysis would've let the opsec team know something was afoot, as well.

sil said...

You know, security "practitioners" nowadays are so focused on application level security they often forget about the other layers. When it comes to "security" sites, they should have known better especially team Metasploit who is providing PACH's (Point and Click Hackers) with all inclusive tools.

Mad Irish said...

I don't know why anyone would discount ARP spoofing as a legitimate attack vector. There was a pretty big EDU incident this last year where malware on a machine was ARP spoofing and doing code injection attacks as people requested HTTP through the malware infected machine. The details were released during a presentation at Educause Security 2008 ('An ARP Spoofing and Router Impersonation Incident' by David Greenberg of Indiana University). It's an incredibly effective malware distribution tool.