DHCP Snooping Attack

*** Nothing contained in this article is intended to teach or encourage the use of security tools or methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure you have permission from the proper individuals before you use any of the tools or techniques described here.

Introduction

DHCP server provide the information needed by the client to run on the network. It provides information like IP address, subnet mask, DNS, default gateway and other information. When a client request from DHCP server it create an entry in its DHCP database and assigns the IP address to client.

An attacker can perform two types of attack:

1. DHCP Starvation Attack

2. DHCP Spoofing Attack

In DHCP starvation attack client sends so many DHCP Discover messages with fake MAC addresses so that the DHCP pool gets filled and Server is not able to serve valid clients. After performing the starvation attack, the attacker can set a rogue DHCP server and starts serving the victim machine with fake IP addresses. This way the attacker can perform man in middle attack which captures the client's request forward them to the server and receives response from the server and send that to the client.

To mitigate these attacks DHCP snooping is used. In DHCP snooping, trusted ports are allowed to send DHCP offers and DHCP ACK messages. For the untrusted port, DHCP message request needs to be validated. Untrusted ports are not allowed to send messages like DHCP offer.

DHCP snooping table is used to identify the untrusted or filtered port messages. All requests coming from an untrusted port are intercepted by the switch and all replies of untrusted ports are discarded.

Topology

Initial Setup

Initially configure system as:

• Assign IP address to the router. In this case IP address of router is 192.168.60.1 with subnet mask of 255.255.255.0

• Build DHCP Server on the router. The name of my DHCP server is snoopserver.

• Start DHCP.

• Check whether the service is running fine by checking the IP address of the systems connected with router.

• Run show IP binding commands to see the address binding in the DHCP database.

Attack Methodology

Attack is performed in 2 parts:

· DHCP Starvation Attack

· DHCP Spoofing Attack

In DHCP starvation attack the attacker will send DHCP discover messages with fake MAC addresses and will take all the IPs available. After performing starvation attack the attacker will now start leasing out fake IP addresses to the victims by behaving as a DHCP server.

Steps to perform DHCP Starvation attack:

I. Open kali VM.

II. In terminal type command Yersinia -G.

III. In yersinia select the Interface.

IV. Go to DHCP tab.

V. Click Launch Attack and click of DHCP Discover packet radio button.

VI. Run the attack for some time and exit.

VII. After the completion of attack run command show ip dhcp binding.

VIII. Run command show ip dhcp server statistics, it will tell the number of IP leased out by DHCP server.

Fig. launching the attack

Fig. yersinia sending DHCP Discover packets

Fig. wireshark captures for DHCP discover messages

Following results were obtained:

• DHCP snooping database count not be locked because of many requests

Fig. Result after the attack

• DHCP binding with some fake MAC addresses.

Fig. number of DHCP server requests served

Steps to perform DHCP Spoofing attack:

I. In the kali VM, open terminal and type command Ettercap -G.

II. Select unified sniffing tab.

III. In MiTM attack, select DHCP Spoofing attack.

IV. In IP pool add spoofed addresses range in my case it is 192.10.100.10–255, in net mask field fill the original the subnet of the attacker and in DNS Server field fill the IP address of attacker which is 192.168.60.5 in our case.

V. Launch attack.

VI. Now run ipconfig command on victim machine. We can see that the victim’s IP address is changed to spoofed address and default gateway is attackers IP address.

Fig. Ettercap launching on interface 0

Fig. DHCP Spoofing using Ettercap

Fig. Victim IP and default gateway changed.

Previously the IP of victim machine was 192.168.60.3 with no default gateway. But after the attack the IP changed to the range specified in Ettercap with default gateway of attacker machine IP.

Fig. Wireshark capture showing that victim accepted offer of attacker machine

Mitigation

DHCP snooping is the solution for both DHCP starvation attack and DHCP spoofing attack. Following are the steps to configure DHCP snooping:

• Enable DHCP snooping globally
• Enable DHCP snooping on the trusted trust on the trusted interfaces.
• Enable switch security on the interfaces
• Check the final result by running show ip dhcp binding command.

Fig. configuring dhcp snooping globally and on vlan 1

Fig. trust established on victim interface.

Fig. trust established on router interface

Fig. Enabled port security on all the used interfaces

Results

After configuring the DHCP snooping the victim PC is no longer infected. It got IP address from the legitimate server and its default gateway also got reset. I tried launching the attack again after applying the mitigation but was unsuccessful in that.

Fig. Victim IP is in range of DHCP server and have default gateway as router IP address.

Screenshot for second attempt for attack:

Fig. attacker not able to launch the attack

DHCP snooping is performed to prevent layer 2 attacks. DHCP starvation attack can cause the Denial of the service which can bring down the whole system. After the DHCP starvation DHCP spoofing can also be performed which can result in the man in the middle attack where attacker can intercept all the packets between sender and receiver by being the man in the middle without letting anyone know about it.