Attack a network by using a rogue DHCP server
This article was created after I left a rogue DHCP server running and connected to the laboratory’s private network. As a result, other computers in the lab were getting non-routable IP addresses thus preventing them from connecting to the internet.
What is DHCP?
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.
What is a rogue DHCP server?
A rogue DHCP server is a DHCP server set up on a network by an attacker, or by an unaware user, and is not under the control of network administrators. An accidental rogue device is commonly a modem with DHCP capabilities which a user has attached to the network unaware of the consequences of doing so. Rogue DHCP servers are also commonly used by attackers for the purpose of network attacks such as Man in the Middle, Sniffing, and Reconnaissance attacks.
Private Network Demonstration
To further study the problem, I replicated the network disruption by connecting a rogue DHCP server in a private environment using Hyper-V. This demonstration makes use of the elements below.
- Hyper-V — used to simulate a private network environment
- ContosoPrivate — assigned name of virtual switch
- LON-SVR4 server —designated DHCP Server in ContosoPrivate network
- Win-CL — DHCP enabled client connected to ContosoPrivate network
- LON-CL2 — unaware DHCP enabled client connected to ContosoPrivate network
- RogueSRV — our rogue DHCP server
- Windows Server 2012 R2 — operating system installed on LON-SVR4 and ContosoFS
- Windows 8.1 — operating system installed on Win-CL
Note: The machines in this demonstration do not belong to any domain but to a WORKGROUP.
The diagram below shows a simple setup for ContosoPrivate network:
Scenario before the attack
Before we disrupt the network, let us review the current setup.
The image above shows IPV4 scope on LON-SVR4 DHCP Server[172.16.0.151–172.16.0.153].
A scope is a range of IP addresses assigned to computers requesting a dynamic IP address. This is a screenshot taken from LON-SVR4's DHCP Manager.
The image above shows the IP Address assigned by LON-SVR4 to Win-CL.
To double check, we execute ipconfig command in Win-CL. Notice that the DHCP Server is pointing to 172.16.0.26 LON-SVR4's IP.
Steps to launch the attack
- Install DHCP Server role on RogueSRV.
Note: Before installing DHCP, make sure to set a static IP address which belongs to the same subnet (e.g. 255.255.0.0). For this demonstration, we set the IP address of RogueSRV to 172.16.0.30. - Open DHCP Manager and add a new scope to IPv4.
We set it to a small range [172.16.0.151–172.16.0.153]. In this example, we keep the rest of the settings default after the IP range configuration. Activate the scope.
The image above shows IPV4 scope for our rogue dhcp server [172.16.0.155–172.16.0.157].
3. Connect RogueSRV server to network ContosoPrivate.
4. Launch a new client computer LON-CL2 connected to network ContosoPrivate. It is purposely set to DHCP mode to retrieve dynamic IP address from LON-SVR4, our designated DHCP server. However, it retrieved dynamic IP from the rogue dhcp server as shown in the image below.
Notice that DHCP Server is pointing to RogueSRV’s IP address 172.16.0.30. In other cases, a rogue DHCP server is introduced to a network after all dynamic IPs are exhausted. This is another form of attack called DHCP Starvation.
Conclusion
This is a basic demonstration of how to attack a network using a rogue DHCP server. The attacks of a rogue DHCP server to the clients can range from a simple denial of service (issuing non-routable ip addresses or wrong DNS information) to the very subtle issuing of rogue DNS server. With this second attack the attacker will set-up the clients to use his DNS server instead of the standard corporate one. His rogue DNS server can be then configured to direct users to fake copies of some sites, for the purpose of credential collection.
References:
- “What is DHCP?”, https://kb.iu.edu/d/adov
- “DHCP Security — The most overlooked service on the network”, Information Security Short Takes, http://www.shortinfosec.net/2008/04/dhcp-security-most-overlooked-service.html
- “DHCP Rogue Server”, Hakipedia, http://hakipedia.com/index.php/DHCP_Rogue_Server
