Very often, I will come across a nifty IT tool that I like the look of and want to test for myself. Unfortunately, my mental notes aren’t as sticky as they once were, and more often that not, I promptly forget all about said tool.
Today, however, I sat down and tested a couple of very useful man in the middle metasploit modules created by Robin of digininja.org fame.
These modules work on the premise that if you can get control of the sole DHCP server on the network, you can push out IP information containing compromised information. For example, you can tell workstations to use a DNS server that you control.
The first module, dhcp_exhaustion performs a DoS attack against the authoritative DHCP server by getting the server to allocate all remaining IP addresses to your computer. Once the legitimate DHCP server is exhausted, you can fire up your own DHCP server configured to give out evil information, such as setting the DNS server to the IP address of your computer running Metasploit.
The next stage of the attack is to run the dns_mitm module. This module reads a list of custom DNS entries from a standard text filewhich it returns to any client that asks. For example, your text file may include a line such as:
Any client with IP info assigned by your DHCP server trying to go to http://www.mywebbankingsite.org will be taken to 192.168.1.11 which could be the IP address of a fake phishing website. By also giving the module the IP address of a legitimate DNS server, you can ensure that any DNS entries that aren’t explicitly listed in your text file are correctly resolved.
Think of networks under your control – how long would it before before you noticed that your DHCP server had stopped giving out address information, assuming someone else started running a DHCP server? How would you detect a MITM attack such as this? On my networks, I use various techniques such as port security on switches, egress filtering on firewalls etc, however, with a little bit of thought, most of these can be overcome by someone who knows what they’re doing.
You can find out more information about the two metaspoit modules over at the digininja website.
Disclaimer: Note that I am not an evil hacker and do not condone the use of such utilities for nefarious purposes. I am, however, a sysadmin that likes to know what security tools are available to help me secure my networks against such individuals.