subject:"\[Full\-disclosure\] Metasploit \- Hack \?"

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-11 Thread T Biehn

oh man.


On Wed, Jun 11, 2008 at 2:28 PM, Ureleet <[EMAIL PROTECTED]> wrote:
> oh, and for those that were confused..
>
> 
>
> On Thu, Jun 5, 2008 at 4:14 PM, T Biehn <[EMAIL PROTECTED]> wrote:
>> Did you just totally match up two instances of the string "ARP
>> Poisoning"? You've got a lot more skills than the industry gives you
>> credit for. I for one would be glad to replace my Guhnue software with
>> one n3td3v expert analysiser.
>
> 
>



This could get dangerous.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-11 Thread Ureleet

oh, and for those that were confused..

On Thu, Jun 5, 2008 at 4:14 PM, T Biehn <[EMAIL PROTECTED]> wrote:
> Did you just totally match up two instances of the string "ARP
> Poisoning"? You've got a lot more skills than the industry gives you
> credit for. I for one would be glad to replace my Guhnue software with
> one n3td3v expert analysiser.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-05 Thread T Biehn

Did you just totally match up two instances of the string "ARP
Poisoning"? You've got a lot more skills than the industry gives you
credit for. I for one would be glad to replace my Guhnue software with
one n3td3v expert analysiser.

On Wed, Jun 4, 2008 at 12:31 PM, n3td3v <[EMAIL PROTECTED]> wrote:
> On Mon, Jun 2, 2008 at 6:57 PM, H D Moore <[EMAIL PROTECTED]> wrote:
>> Looks like someone is doing ARP poisoning at the ISP level. The actual
>> metasploit.com server(s) are untouched, but someone is still managing to
>> MITM a large portion of the incoming traffic. To make things even more
>> fun, its cooinciding with a DoS attack (syn floods) on most of the open
>> services.
>>
>> If you are worried about the the Metasploit Framework source code being
>> MITM'd during SVN checkouts, use the SSL version of the SVN tree:
>>
>> $ svn co https://metasploit.com/svn/framework3/trunk/
>>
>> -HD
>>
>>
>> On Monday 02 June 2008, Jacques Erasmus wrote:
>>> Seems like the metasploit site has been hacked.
>>
>>
>
> I found this post [1] on my news group it sounds like an awful
> coincidence though.
>
> [1] 
> http://groups.google.com/group/n3td3v/browse_thread/thread/41b832968eacf1d9
>
> All the best,
>
> n3td3v
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-04 Thread n3td3v

On Mon, Jun 2, 2008 at 6:57 PM, H D Moore <[EMAIL PROTECTED]> wrote:
> Looks like someone is doing ARP poisoning at the ISP level. The actual
> metasploit.com server(s) are untouched, but someone is still managing to
> MITM a large portion of the incoming traffic. To make things even more
> fun, its cooinciding with a DoS attack (syn floods) on most of the open
> services.
>
> If you are worried about the the Metasploit Framework source code being
> MITM'd during SVN checkouts, use the SSL version of the SVN tree:
>
> $ svn co https://metasploit.com/svn/framework3/trunk/
>
> -HD
>
>
> On Monday 02 June 2008, Jacques Erasmus wrote:
>> Seems like the metasploit site has been hacked.
>
>

I found this post [1] on my news group it sounds like an awful
coincidence though.

[1] http://groups.google.com/group/n3td3v/browse_thread/thread/41b832968eacf1d9

All the best,

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-02 Thread H D Moore

Problem solved. Someone is ARP poisoning the IP address of the router on which 
the www.metasploit.com server resides. 
I hardcoded an ARP entry for the real router and that seems to solve the MITM 
issue. It doesn't help the other 250 servers 
on that network, but thats an issue for the ISP to resolve. I included a 
traffic sample of the ARP poisoning below, if anyone
is interested:

13:04:38.967562 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:39.768055 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:40.397616 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:40.397686 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:40.397751 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:40.397819 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:40.397886 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.127384 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.127446 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.447854 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.447914 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:41.826560 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:42.768019 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:43.397341 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:43.397410 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:43.397476 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:43.397548 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.182397 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.182464 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.447680 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.447749 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:44.826588 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:45.768273 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:46.396933 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:46.397001 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:46.397066 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:47.174445 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:05:dc:0c:84:00
13:04:47.174514 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a
13:04:47.448530 00:15:f2:4b:cd:3a > 00:15:f2:4b:d0:c9, ethertype ARP (0x0806), 
length 60: arp reply 216.75.15.1 is-at 00:15:f2:4b:cd:3a



> On Monday 02 June 2008, Jacques Erasmus wrote:
> > Seems like the metasploit site has been hacked.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-02 Thread Paul Schmehl

--On Monday, June 02, 2008 16:40:31 +0100 Jacques Erasmus 
<[EMAIL PROTECTED]> wrote:

>
>
> Seems like the metasploit site has been hacked.
>
>
>
> http://forum.eviloctal.com/redirect.php?tid=33254&goto=lastpost#lastpost
>
>
>
> The links such as http://www.metasploit.com/framework etc are rediring to the
> above site – is anyone else seeing this ?
>

Nope.  Site appears to be working as expected.

-- 
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-02 Thread H D Moore

Looks like someone is doing ARP poisoning at the ISP level. The actual 
metasploit.com server(s) are untouched, but someone is still managing to 
MITM a large portion of the incoming traffic. To make things even more 
fun, its cooinciding with a DoS attack (syn floods) on most of the open 
services.

If you are worried about the the Metasploit Framework source code being 
MITM'd during SVN checkouts, use the SSL version of the SVN tree:

$ svn co https://metasploit.com/svn/framework3/trunk/

-HD


On Monday 02 June 2008, Jacques Erasmus wrote:
> Seems like the metasploit site has been hacked.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Metasploit - Hack ?

2008-06-02 Thread Jacques Erasmus

Seems like the metasploit site has been hacked. 

 

http://forum.eviloctal.com/redirect.php?tid=33254

&goto=lastpost#lastpost

 

The links such as http://www.metasploit.com/framework etc are rediring to
the above site - is anyone else seeing this ? 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

Re: [Full-disclosure] Metasploit - Hack ?

Re: [Full-disclosure] Metasploit - Hack ?

Re: [Full-disclosure] Metasploit - Hack ?

Re: [Full-disclosure] Metasploit - Hack ?

Re: [Full-disclosure] Metasploit - Hack ?

Re: [Full-disclosure] Metasploit - Hack ?

[Full-disclosure] Metasploit - Hack ?

8 matches

Site Navigation

Mail list logo

Footer information