RSS

MITM Made Easy with Metasploit

12 Mar

Very often, I will come across a nifty IT tool that I like the look of and want to test for myself. Unfortunately, my mental notes aren’t as sticky as they once were, and more often that not, I promptly forget all about said tool.

Today, however, I sat down and tested a couple of very useful man in the middle metasploit modules created by Robin of digininja.org fame.

These modules work on the premise that if you can get control of the sole DHCP server on the network, you can push out IP information containing compromised information. For example, you can tell workstations to use a DNS server that you control.

The first module, dhcp_exhaustion performs a DoS attack against the authoritative DHCP server by getting the server to allocate all remaining IP addresses to your computer. Once the legitimate DHCP server is exhausted, you can fire up your own DHCP server configured to give out evil information, such as setting the DNS server to the IP address of your computer running Metasploit.

The next stage of the attack is to run the dns_mitm module. This module reads a list of custom DNS entries from a standard text filewhich it returns to any client that asks. For example, your text file may include a line such as:

192.168.1.11  www.mywebbankingsite.org

Any client with IP info assigned by your DHCP server trying to go to http://www.mywebbankingsite.org will be taken to 192.168.1.11 which could be the IP address of a fake phishing website. By also giving the module the IP address of a legitimate DNS server, you can ensure that any DNS entries that aren’t explicitly listed in your text file are correctly resolved.

Think of networks under your control – how long would it before before you noticed that your DHCP server had stopped giving out address information, assuming someone else started running a DHCP server? How would you detect a MITM attack such as this? On my networks, I use various techniques such as port security on switches, egress filtering on firewalls etc, however, with a little bit of thought, most of these can be overcome by someone who knows what they’re doing.

You can find out more information about the two metaspoit modules over at the digininja website.

Disclaimer: Note that I am not an evil hacker and do not condone the use of such utilities for nefarious purposes. I am, however, a sysadmin that likes to know what security tools are available to help me secure my networks against such individuals.

Advertisements
 
Leave a comment

Posted by on March 12, 2010 in Security

 

Add Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: