Attacks Adjoin DHCP
With the above-mentioned advice in mind, it should be bright that two attacks are possible:
• DHCP ambit burnout (client spoofs added clients)
• Installation of a rogue DHCP server
DHCP Ambit Exhaustion: DoS Advance Adjoin DHCP
What if a awful applicant attempts to appropriate the absolute ambit of accessible IP addresses? It
does not attending like annihilation in the agreement itself is acceptable to anticipate this from happening.
The applicant aloof needs to accomplish abnormally identifiable packets. It could do so by using
random antecedent MAC addresses and again sending a DHCPDISCOVER per artificial MAC
address.
The DHCP server appropriately easily out the absolute set of addresses accessible to the client’s
network, because it can’t acquaint the aberration amid a 18-carat host and a spoofed one. If a
legitimate applicant tries to access an IP address, it is alone with no IP connectivity
because the absolute ambit of addresses accept already been allocated to spoofed hosts—user
frustration guaranteed! At atomic two advisedly accessible programs exist—Yersinia and
Gobbler—that do aloof that: Attempt to appeal as abounding leases as accessible as bound as
possible.
Yersinia
Yersinia is the Layer 2 hacker’s Swiss-army knife, as discussed in Chapter 3, “Attacking
the Spanning Tree Protocol.” Yersinia is called afterwards Yersinia pestis, which is a bacilli that
causes plague. As its name implies, Yersinia is mainly an advance apparatus adjoin several Layer
2 protocols: Spanning Tree Agreement (STP), Institute of Electrical and Electronics
Engineers (IEEE) 802.1Q, IEEE 802.1X, and, of course, DHCP (even if DHCP is not a
Layer 2 protocol, carefully speaking).
Figure 5-3 shows a Yersinia advance screen.
90 Chapter 5: Leveraging DHCP Weaknesses
Figure 5-3 Yersinia’s DHCP Advance Screen
NOTE For added advice on Yersinia, see Chapter 3.
Gobbler
Gobbler specializes in DHCP-only attacks. From its documentation,2 Crammer is described
as follows:
A apparatus advised to analysis assorted aspects of DHCP networks, from audition if DHCP is active on a
network to assuming a abnegation of account attack. The Crammer additionally exploits DHCP and Ethernet to allow
distributed spoofed anchorage scanning with the added benefit of actuality able to detect the acknowledgment from a spoofed host.
This apparatus is based on affidavit of abstraction cipher “DHCP Gobbler” accessible from networkpenetration.com.
Gobbler alike goes a footfall added than Yersinia. Certain DHCP servers periodically send
Address Resolution Agreement (ARP) requests or Internet Control Message Agreement (ICMP)
echo packets to delving for IP addresses that the server ability accept reclaimed. Servers do not
perform this analysis for aegis purposes; instead, they do this because, sometimes, clients
do not absolution their assigned IP abode back shutting down.
Attacks Adjoin DHCP 91
The author(s) of Crammer empiric this DHCP server behavior and able Crammer with
the adequacy to annul by responding to ARP requests!
Example 5-1 represents Gobbler’s command-line interface (CLI) Help menu.
Example 5-1 Gobbler’s Help Menu
[root@linux-p4]# ./Gobbler
The Crammer (Alpha absolution 2.0.1) from NetworkPenetration.com
-------------------------------------------------------------
Scanning Options
-A
-C
-D Detect DHCP account / rogue servers on network
-G Gobble advance - DoS DHCP server via IP burnout / MAC bluffing attack
-M
-N
-P
-Q
-R <135-139,445,a,o,s,n> Anchorage ambit (a)ll (o)sstm (s)ervices (n)nmap
-S Alpha sniffer
-T Traceroute to ambition (use with -P or -N)
-U ICMP ping ambition (use with -P or -N)
-X Nmap OS apprehension (use with -P or -N)
-Z Anchorage 0 OS apprehension (use with -P or -N)
Misc
-a
-c Closed ports displayed at end of portscan (all ports adjoin to 20)
-d Filtered ports displayed at end of portscan (all)
-e
-f Fast approach - accessible errors with anchorage lists
-g Don’t absolution gobbled IP’s (might be accessible back portscanning)
-h Don’t ICMP ping target... advantageous if a firewall is blocking ICMP pings
-i
-j Jump accomplished rescanning filtered ports (useful back scanning all ports)
-l
-n
-o / -O
-r Don’t acknowledgment to ICMP ping requests
-s
-t Tag mac addresses for gobbled hosts(each will end in 4e:50)
-u
-v Verbose (may be acclimated 3 times for crazy amounts of debugging info)
-V Display affiliated account afterwards every amend (used back acquisitive a IP address)
-w Remove warnings at alpha of assorted scans
Examples
Gobbled browse distinct dynamically assigned host: Crammer -P 192.168.1.1 -R n
Gobbled browse assorted src hosts: Crammer -P 192.168.3.1 -R 21-23,445 -n 4
Non-gobbled scan: Crammer -N 10.0.0.1 -Q 10.0.0.50-r -Q 10.0.0.51-r -R n -f
Sniffer: Crammer -i eth0 -S -v Arp scan: Crammer -i fxp0 -Ag
Detect rogue DHCP server: Crammer -D -i eth0 DHCP DoS: Crammer -G -i fxp0
Note: all options with a * crave -Q
Note: MITM -M is in the aboriginal stages of coding
Note: Back assuming a DoS advance the crammer crashes
WARNING apprehend README.1ST afore application the Gobbler
If you do not accept what you are doing, do NOT use this program!
[root@linux-p4#
All of Example 5-1’s curve are aloof options for Gobbler: Abounding of them abide because
Gobbler is a able advance apparatus adjoin DHCP.
At the end of the day, both Yersinia and Crammer accomplish it all too accessible to advance DHCP
servers.