Old School Layer 2 Hacking

When I designed my TCP/IP Weapons School class my intent was to teach TCP/IP at an advanced level using traffic generated by security tools. I thought the standard approach of showing all normal traffic was boring. Sometimes students (or those on the sidelines) wonder why I should bother teaching a technique like ARP spoofing at all, when layer 7 attacks are what the cool kids are doing these days. One answer is below.

Ref: Sunbelt Blog

How could this happen? It turns out it wasn't the fault of the Metasploit Project. Rather, a server in the same VLAN as the Metasploit Project was compromised and used to ARP spoof the gateway of the Metasploit Project Web site. See Full Disclosure: Re: Metasploit - Hack ? and this for details.

HD Moore responded to the incident by adding the proper MAC address for his Web hoster's gateway as a static entry to his ARP cache.

This is a great example of a cloud security problem. You host your content at a third party, and you rely upon that third party -- and potentially other customers of that third party -- to implement adequate security. In this case, at least one other customer was vulnerable, and the Web hosting company didn't take adequate measures to protect its switching infrastructure. Of course the intruder who ran the ARP spoofing attack is really at fault, but this event demonstrates the trade-off associated with relying upon third parties.

Incidentally, this marks the third event of "modern history" involving ARP spoofing I've documented here. Earlier incidents included Freenode admin credentials and injecting malicious IFRAMEs at another Web hosting provider.

If you're interested in my Black Hat class, we increased the seat count to 80 per class (instead of 60). Registration is still open.