DHCP Attack + WPAD

Table of Contents

DHCP basics

In this article we deal with the topic of DHCP spoofing and what role WPAD plays in it. We also show what options exist to prevent these attacks. However, this is no longer about the basics of the DHCP protocol. You can find this information in our first and second DHCP contribution.

Offense: DHCP spoofing - What is it actually?

DHCP spoofing is a technique that describes the introduction of an "unofficial" DHCP server with which an attacker can distribute network configurations in order to be able to read network traffic - i.e. a classic one Man-in-the-middle attack. 

However, the problem is being faster than the correct DHCP server on the network. To ensure that a client, when attempting to obtain a DHCP lease, accepts an attacker's offer, one can use a DHCP Starvation Attack use.

If the correct DHCP server can no longer issue leases, our "rogue" DHCP server is used.

The “dhcpd” service is available for this under Linux. The configuration to be distributed can be found in Linux under:

/etc/dhcp/dhcpd.conf. 

You can simply take this with you vim edit.

The “dhcpd” service is available for this under Linux. The configuration to be distributed can be found in Linux under:

Various network configurations can be found in the config, such as:

  • lease time
  • Subnet
  • IP range
  • gateway
  • DNS server

 

As soon as the attacker has configured his DHCP server, i.e. gateway etc. have been adjusted, it can be started.

To do this, run the command "dhcpd" . 

As soon as the attacker has configured his DHCP server, i.e. gateway etc. have been adjusted, it can be started.

The attacker's fake DHCP is now running. From this point on, all incoming requests, including renews, are supplied with a new, forged configuration by the attacker's DHCP. The attacker registers itself as a gateway/router for the requesting clients, so that all traffic is routed through the attacker. However, it becomes problematic with large client networks, since every traffic really goes through the attacker.

However, you also have the option of “selecting” traffic in a more targeted manner via DHCP. You simply don't distribute DHCP leases in which you pretend to be a gateway, but use DHCP for WPAD (Web Proxy Auto Discover), for example.

Prevent a hacker attack on
Your IT system!
Test your IT now with a professional penetration test!
For the penetration test

WPAD - What is it and how does it work?

WPAD is the abbreviation for "Web Proxy Auto Discover" and is used to provide a client in a network Proxy Server assign automatically. 

In order for a client to find a proxy server via WPAD, it first looks in its DHCP lease to see whether there is a WPAD entry. If there is no entry, the client makes a DNS query and tries to find an IP address for the wpad.domain.com entry. If no matching DNS entry is found, the client asks about the NETBIOS name service or  LLMNO for a WPAD server. If the search is still unsuccessful after this process, no WPAD proxy seems to be in use.

If a WPAD proxy is assigned via a DHCP lease, then the dhcpd.conf like this: 

If a WPAD proxy is assigned via a DHCP lease, then the dhcpd.conf looks like this:

The WPAD URL can be distributed using the “wpad code 252” option. An additional configuration entry "option wpad "http://Angreifer-IP/wpad.dat"" refers to the WPAD configuration wpad.dat. The benefit of using WPAD from an attacker's perspective is that the attacker can clearly filter network traffic and determine which traffic to intercept.

The WPAD configuration (wpad.dat) can look like this:

The WPAD configuration (wpad.dat) can look like this:

The address of the attacker is returned as the proxy server. In summary, this means that all HTTP traffic that comes in is forwarded directly to the attacker via this proxy entry. The incoming traffic can then be manipulated by the attacker. 

Increase the security level now
of your IT system!
You can only get detailed advice from us!
Contact us now

 

The WPAD configuration is distributed via a simple HTTP server, which must be started by the attacker. This HTTP server is started as follows:

The WPAD configuration (wpad.dat) can look like this:

If a DHCP lease was successfully distributed with the WPAD option, you can now see which clients are downloading the wpad.dat here.

If a user now starts his browser, the web traffic is routed via the proxy server that was distributed in the WPAD.

If a user now starts his browser, the web traffic is routed via the proxy server that was distributed in the WPAD.

It should be noted that pure HTTP traffic is transmitted unencrypted and can therefore easily be intercepted by the attacker. For intercepting HTTPS (HTTP over SSL), there are additional challenges and conditions for successful intercepting; 

Intercepting HTTPS (HTTP over SSL) presents additional challenges and conditions for successful interception;

Defence: How do you protect yourself from such attacks?

DHCP snooping

DHCP snooping is a functionality designed to prevent DHCP attacks.

With DHCP snooping, "trusted ports" are configured on switches from which DHCP offers are accepted. The DHCP server is connected to one of these "trusted ports" because it is the only one that should assign IP addresses dynamically. Trunk ports must also have the "trusted" status in the context of DHCP snooping, since valid DHCP offers are transmitted here. If the switch detects that a DHCP offer is being made via a different port, it discards the packet.

The result of the DHCP snooping is the DHCP snooping database in which all IP and MAC addresses assigned by the DHCP server on the "Trusted Port" are noted.

 

				
					configure terminal
ip dhcp snooping vlan <vlan-number>
interface <interface-name>
ip dhcp snooping trust
exit
				
			

Rate limit for DHCP packets

The comparison with the DHCP Snooping Database does not offer any protection against a DHCP Starvation Attack (Denial of Service). Requests can still be sent out in bulk, so the pool of a legitimate DHCP server  is exhausted. To prevent this, a rate limit can be configured on the switch, which dictates how many requests can be sent per second. 

If the attacker now launches a DHCP Starvation Attack, it fails after 10 requests.

				
					configure terminal
interface <interface-name>
ip dhcp snooping limit rate 10
exit
				
			
If the attacker now launches a DHCP Starvation Attack, it fails after 10 requests.

If you want to see the whole scenario in action, then take a look at ours Youtube Video on the subject :D.

Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!


OTHER CONTRIBUTIONS

Table of Contents

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices


Please accept the cookies at the bottom of this page to be able to submit the form!