DHCP spoofing is a technique that describes the introduction of an “unofficial” DHCP server with which an attacker can distribute network configurations in order to be able to read network traffic - i.e. a classic one Man-in-the-middle attack.
However, the problem is being faster than the correct DHCP server on the network. To ensure that a client, when attempting to obtain a DHCP lease, accepts an attacker's offer, one can use a DHCP Starvation Attack use.
If the correct DHCP server can no longer distribute leases, our “rogue” DHCP server is used.
The “dhcpd” service is available for this under Linux. The configuration to be distributed can be found in Linux under:
/etc/dhcp/dhcpd.conf.
You can simply take this with you vim edit.
Various network configurations can be found in the config, such as:
As soon as the attacker has configured his DHCP server, i.e. gateway etc. have been adjusted, it can be started.
To do this, run the command "dhcpd" .
The attacker's fake DHCP is now running. From this point on, all incoming requests, including renews, are supplied with a new, forged configuration by the attacker's DHCP. The attacker registers itself as a gateway/router for the requesting clients, so that all traffic is routed through the attacker. However, it becomes problematic with large client networks, since every traffic really goes through the attacker.
However, via DHCP you also have the option of “selecting” traffic more specifically. You simply don't distribute DHCP leases in which you pretend to be a gateway, but use DHCP, for example, to do WPAD (Web Proxy Auto Discover).
WPAD is the abbreviation for "Web Proxy Auto Discover" and is used to provide a client in a network Proxy Server assign automatically.
In order for a client to find a proxy server via WPAD, it first looks in its DHCP lease to see whether there is a WPAD entry. If there is no entry, the client makes a DNS query and tries to find an IP address for the wpad.domain.com entry. If no matching DNS entry is found, the client asks about the NETBIOS name service or LLMNO for a WPAD server. If the search is still unsuccessful after this process, no WPAD proxy seems to be in use.
If a WPAD proxy is assigned via a DHCP lease, then the dhcpd.conf like this:
The WPAD URL can be distributed using the “wpad code 252” option. An additional configuration entry "option wpad "http://Angreifer-IP/wpad.dat"" refers to the WPAD configuration wpad.dat. The benefit of using WPAD from an attacker's perspective is that the attacker can clearly filter network traffic and determine which traffic to intercept.
The WPAD configuration (wpad.dat) can look like this:
The address of the attacker is returned as the proxy server. In summary, this means that all HTTP traffic that comes in is forwarded directly to the attacker via this proxy entry. The incoming traffic can then be manipulated by the attacker.
The WPAD configuration is distributed via a simple HTTP server, which must be started by the attacker. This HTTP server is started as follows:
If a DHCP lease was successfully distributed with the WPAD option, you can now see which clients are downloading the wpad.dat here.
If a user now starts his browser, the web traffic is routed via the proxy server that was distributed in the WPAD.
It should be noted that pure HTTP traffic is transmitted unencrypted and can therefore easily be intercepted by the attacker. For intercepting HTTPS (HTTP over SSL), there are additional challenges and conditions for successful intercepting;
DHCP snooping is a functionality designed to prevent DHCP attacks.
With DHCP snooping, "trusted ports" are configured on switches from which DHCP offers are accepted. The DHCP server is connected to one of these "trusted ports" because it is the only one that should assign IP addresses dynamically. Trunk ports must also have the "trusted" status in the context of DHCP snooping, since valid DHCP offers are transmitted here. If the switch detects that a DHCP offer is being made via a different port, it discards the packet.
The result of the DHCP snooping is the DHCP snooping database in which all IP and MAC addresses assigned by the DHCP server on the "Trusted Port" are noted.
configure terminal
ip dhcp snooping vlan <vlan-number>
interface <interface-name>
ip dhcp snooping trust
exit
The comparison with the DHCP Snooping Database does not offer any protection against a DHCP Starvation Attack (Denial of Service). Requests can still be sent out in bulk, so the pool of a legitimate DHCP server is exhausted. To prevent this, a rate limit can be configured on the switch, which dictates how many requests can be sent per second.
If the attacker now launches a DHCP Starvation Attack, it fails after 10 requests.
configure terminal
interface <interface-name>
ip dhcp snooping limit rate 10
exit
If you want to see the whole scenario in action, then take a look at ours Youtube Video on the subject :D.
