01-11-25, 01:27 PM
Greetings.
Here I’d like to talk about DHCP attacks ! And also how to mitigates them (on Cisco stuff).
As always, learn and use at your own risk, at your own phase, at your own right.
I shall not be held responsible for anything such as any damage or claims that might arise from negligence, carelessness nor it cannot be imputable to me or my TEAM. This is purely share knowledge. Use it wisely.
The DHCP protocol
Dynamic Host Configuration Protocol allow computers to automatically receive IP addresses and network configuration from a DHCP server.
Here is a typical IP address obtention :
We can see 7 different kinds of frames :
For more informations about DHCP, check the Wikipedia page.
DHCP starvation attack
This first attack consists of exhausting the DHCP server’s IP addresses pool with a huge number of requests.
The attacker sends many DHCP requests with differents MAC addresses, which result in using all the available IP addresses. All the new machines that will try to connect to the network will not have any IP.
Then, the attacker can configure his working machine to be the new DHCP server to serve the new machines.
In a DHCP lease, informations about the default gateway and DNS are transmitted. The attacker can propose a lease to newcomers saying that he is the default gateway, which allow Man In The Middle attacks : every packets sent by hosts will go through the attacker machine.
There is a famous framework for level 2 attacks called
that allow us to launch DHCP starvation attacks :
After specifying the protocol with the DHCP argument, we indicate the attack mode.
corresponds to ‘DoS attack sending discover packets’. The flag
allow us to specify which interface to use during the attack.
To stop the attack, just kill the process :
DHCP rogue server attack
The goal of this attack is to introduce in the network a rogue DHCP server that will responds to clients requests.
In order to succeed, you have to respond faster to DHCP Discover requests than the initial DHCP server. This can be done by multiple ways :
As seen before,
allows us to do this attack :
where
means ‘nonDoS attack creating DHCP rogue server’. This attack mode does not need to use DoS, as its implementation is probably faster than standard DHCP used in home/office routers.
How to protect
Being offensive is nice, but it’s interesting to see the blue side of the Force. I’ll talk about Cisco equipment features.
There is 2 principal ways to avoid those attacks on Cisco equipments : DHCP snooping and IP source guard.
Each interface that link a client to the switch must be set to untrusted, which only permit DHCP Discover/Request packets to enter; others are dropped.
Ports on which a DHCP server is connected must be set as trusted in order for the switch to accept DHCP Offers and DHCP {Ack,NAck} packets.
The DCHP binding table holds information about untrusted ports, and is fed by dynamic entries learnt via DHCP. On an important network, it is recommended to outsource this table : locally, it is stored in flash memory. For each new entry, its content have to be erased and wrote again. It can also generate heavy CPU loads, and is case of shutdown, all the tables are lost.
It is possible to configure automatic outsourcing as following :
In the example we use FTP, but HTTP, RCP and TFTP are allowed too.
is the duration between every copy when the table changes.
To configure IP source guard on a Cisco switch, you can enter :
And that's about it. Should you have any questions, feel free to ask.
~ KingSkrupeLLoS ~
Here I’d like to talk about DHCP attacks ! And also how to mitigates them (on Cisco stuff).
As always, learn and use at your own risk, at your own phase, at your own right.
I shall not be held responsible for anything such as any damage or claims that might arise from negligence, carelessness nor it cannot be imputable to me or my TEAM. This is purely share knowledge. Use it wisely.
The DHCP protocol
Dynamic Host Configuration Protocol allow computers to automatically receive IP addresses and network configuration from a DHCP server.
Here is a typical IP address obtention :
Code:
DHCP Client DHCP Server
+
+------------------------------>
DHCP Discover
+
<------------------------------+
DHCP Offer
+
+------------------------------>
DHCP Request
+
<------------------------------+
DHCP Ack (or Decline, Nack)
+
+------------------------------>
DHCP Release- DHCP Discover : this frame is broadcasted to all the network, in order to find the DHCP server.
- DHCP Offer : the server responds to a DHCP discover in unicast. This frame contains network configuration (IP address pool, gateway address…).
- DHCP Request : the client sends a broadcast frame to announce from which server he want to use the configuration from.
- DHCP Ack : the chosen DHCP server assigns the IP and configuration parameters and acknowledges.
- DHCP Nack : the DHCP server rejects the client’s request.
- DHCP Decline : the client rejects the offered IP address.
- DHCP Release : the client sends back his assigned IP address beafore the lease expires.
For more informations about DHCP, check the Wikipedia page.
DHCP starvation attack
This first attack consists of exhausting the DHCP server’s IP addresses pool with a huge number of requests.
The attacker sends many DHCP requests with differents MAC addresses, which result in using all the available IP addresses. All the new machines that will try to connect to the network will not have any IP.
Then, the attacker can configure his working machine to be the new DHCP server to serve the new machines.
In a DHCP lease, informations about the default gateway and DNS are transmitted. The attacker can propose a lease to newcomers saying that he is the default gateway, which allow Man In The Middle attacks : every packets sent by hosts will go through the attacker machine.
There is a famous framework for level 2 attacks called
Code:
yersiniaCode:
# yersinia dhcp -attack 1 -interface eth0Code:
-attack 1Code:
-interfaceTo stop the attack, just kill the process :
Code:
# killall yersiniaDHCP rogue server attack
The goal of this attack is to introduce in the network a rogue DHCP server that will responds to clients requests.
In order to succeed, you have to respond faster to DHCP Discover requests than the initial DHCP server. This can be done by multiple ways :
- By lauching a DoS attack to the current DHCP server : this will result in a longer time to respond, which give you an advantage.
- By re-implementing DHCP on the attacker machine : DHCP servers usually do other things (DNS, gateway…). Basically, they take more time to respond than a simple DHCP server. Moreover, they have to look into their cache to see if an IP address has already been attributed, etc… So by implementing a DHCP server that will directly respond to a DHCP Discovery request with a hard-coded IP address, it is possible to be faster.
As seen before,
Code:
yersiniaCode:
# yersinia dhcp -attack 2 -interface eth0Code:
-attack 2How to protect
Being offensive is nice, but it’s interesting to see the blue side of the Force. I’ll talk about Cisco equipment features.
There is 2 principal ways to avoid those attacks on Cisco equipments : DHCP snooping and IP source guard.
- DHCP snooping allows to filter suspicious DHCP requests, and building what is called a ‘DHCP binding table’. This table contains the DHCP attributions, as MAC addresses, IP addresses, lease duration, VLAN number and corresponding interface.
Each interface that link a client to the switch must be set to untrusted, which only permit DHCP Discover/Request packets to enter; others are dropped.
Ports on which a DHCP server is connected must be set as trusted in order for the switch to accept DHCP Offers and DHCP {Ack,NAck} packets.
The DCHP binding table holds information about untrusted ports, and is fed by dynamic entries learnt via DHCP. On an important network, it is recommended to outsource this table : locally, it is stored in flash memory. For each new entry, its content have to be erased and wrote again. It can also generate heavy CPU loads, and is case of shutdown, all the tables are lost.
It is possible to configure automatic outsourcing as following :
Code:
(config)# ip dhcp snooping database ftp://192.168.42.69/binding-table.dhcp
(config)# ip dhcp snooping database write-delay 300Code:
write-delay- IP source guard allow us to protect from IP usurpation obtained by DHCP. In this kind of attack, the attacker changes his IP and/or his MAC address in order to access a remote machine (IP spoofing) or to avoid ACL set by the sysadmin.
To configure IP source guard on a Cisco switch, you can enter :
Code:
(config)# interface FastEthernet1/0/3 # or whatever interface you want
(config-if)# ip verify source port securityAnd that's about it. Should you have any questions, feel free to ask.
~ KingSkrupeLLoS ~