DHCP Overview
RFC 2131 and RFC 2132 originally authentic DHCP, with several RFC extensions
augmenting its capabilities. (See http://www.dhcp.org/rfcs.html for an all-embracing list.) The
primary purpose of DHCP is to dynamically accredit IP addresses to requesters for a
specified continuance (called the charter time). DHCP audience appeal addresses from DHCP
servers. In best cases, audience and servers are several hops afar and are afar by routers
and added arrangement devices. When that is the case, the aboriginal hop router needs to be DHCPfriendly
and advice advanced the clients’ requests to the servers. Such routers are alleged relay
agents. Figure 5-1 visually summarizes the operation of DHCP.
86 Chapter 5: Leveraging DHCP Weaknesses
Figure 5-1 Initial DHCP Exchange
Table 5-1 lists all the assorted DHCP packets authentic by the arch DHCP RFCs.
Table 5-1 DHCP Packet Types
DHCP Bulletin Use
DHCPDISCOVER Applicant discovers servers (broadcast packet).
DHCPOFFER Server unicasts a acknowledgment absolute assorted ambit (IP,
subnet mask, and so on).
DHCPREQUEST Applicant broadcasts absorption in offer.
DHCPACK Server confirms the appeal (unicast).
DHCPNAK Server denies a appeal (unicast).
Initial DHCP Exchange
Client
Client Discovers DHCP Server(s)
Multiple Offers Can Access – Client
Picks One
Client Broadcasts Appeal for One
of the Accustomed Offers
IP Abode Acquired
Graceful Shutdown
Client Explicity Releases Its IP
Address
DHCP RELEASE
DHCP ACK
DHCP REQUEST
DHCP OFFER
DHCP DISCOVER
Server Acknowledgment with an Offer
Server ACKs Client’s Request
for the IP Address
Server
DHCP Overview 87
DHCP audience accept to User Datagram Agreement (UDP) anchorage 68, while DHCP servers listen
to UDP anchorage 67. For example, the DHCP client’s aboriginal assignment is to access an IP abode by
broadcasting a DHCPDISCOVER bulletin from UDP anchorage 68 to UDP anchorage 67. Referring
to Figure 5-1, afterwards achievement of Footfall 4 (DHCPACK), the applicant is accessible to use the
proposed IP address. DHCP packets can accommodate a aggregation of options to specify the
address of absence gateways and Area Name System (DNS) servers, the area name,
and so on. Multiple DHCP servers can abide on a accustomed LAN. If a applicant receives several
DHCPOFFER packets, it is chargeless to aces the one it prefers. For all applied purposes, clients
usually aces the aboriginal acknowledgment to arrive. This acreage is important to accumulate in apperception because at
least one apparatus is able of application it to its advantage. Figure 5-2 examines the architecture of a
DHCP packet.
Figure 5-2 DHCP Packet
DHCP Bulletin Use
DHCPRELEASE Applicant relinquishes its IP address.
DHCPINFORM Applicant requests agreement parameters.
DHCPDECLINE Applicant notifies server that the IP is in use.
Table 5-1 DHCP Packet Types (Continued)
DHCP Packet Format
4 Bytes
Operation Code
Seconds Elapsed
Client IP Address
Your IP Address
Server IP Address
Relay Agent/Gateway IP Address
Client Accouterments Address
(16 Bytes)
Server Host Name
(16 Bytes)
Boot File Name
(128 Bytes)
Options
(Variable)
Hardware Type Accouterments Length Hop Count
B (1 Bit) Flags (15 Bits)
Transaction ID
88 Chapter 5: Leveraging DHCP Weaknesses
Table 5-2 complements Figure 5-2. It contains a description of the fields begin central a
DHCP packet.
Notice the absence of any affidavit fields or any added security-inclined information
in the packet. The agreement is congenital on a affray model. Whoever requests an IP address
is chargeless to accept one, if available. When a applicant wants to access an IP address, it crafts a
DHCPREQUEST packet by clearing several of its fields. The applicant accouterments abode is
of notable interest, because it serves as a (de)multiplexer on the server ancillary to identify
various clients. RFC 2131 reads as follows:
The aggregate of applicant identifier or applicant accouterments abode and assigned arrangement abode aggregate a
unique identifier for the client’s charter and are acclimated both by the applicant and server to analyze a charter referred
to in any DHCP message.
It is accepted for DHCP servers to accommodate abounding accessible scopes (a ambit of IP addresses
that can be served), because servers handle requests from abounding altered networks. To
select the adapted ambit for the client’s network, DHCP servers baddest the Gateway IP
Address acreage as a selector. Because the applicant does not yet apperceive the IP abode of its
Table 5-2 Fields Begin Central DHCP Packets
Field Bytes Description
Operation Code 1 1 = request, 2 = reply
Hardware Type 1 1 = 10 Mbps Ethernet, and so on
Hardware Length 1 Length of MAC address: 6 for Ethernet
Hop Count 1 Optionally acclimated by advertisement agents
Transaction ID 4 Random cardinal called by applicant acclimated to associate requests/
replies
Seconds Delayed 2 Abounding by client—counts abnormal delayed back alpha of
transaction
Flags 2 1 bit for advertisement flag, blow is zeroed
Client IP 4 Set to aught for new requests
Your IP 4 Abode offered by server
Server IP 4 Abode to use in abutting footfall of bootstrap process—returned by
DHCPOFFER/ACK
Gateway IP 4 Abode of the advertisement agent
Client Hardware
Address
16 MAC abode of the client
Server Host Name 64 Optional
Boot File Name 128 Optional
Options Varies —
gateway (this is its absence router), the Gateway IP Abode acreage is abounding by the aboriginal router
relaying the applicant DHCPDISCOVER to the absolute DHCP server(s). This DHCP advertisement uses
the IP abode of the interface that accustomed the aboriginal DHCPDISCOVER beatific by the
client.