- 21 Eki 2015
- 477
- 1
What is DHCP Snooping?
If we connect a modem to a companys ethernet port, if we broadcast DHCP, from now on I am the new DHCP server of this network, you will come to me to get IP, what happens if we distribute IP address? Maybe you dont even need a modem for that. Enough to set up and run the DHCP server.
What is Dynamic Host Configuration Protocol (DHCP)?
When we connect to a network, an IP address must be assigned to us. Otherwise, we will be a refugee in the network we are connected to and we havent been assigned an identity. This is where DHCP comes in.
It assigns us an IP address as well as information such as netmask, gateway, DNS address. Thus, the system administrator doesnt bother to assign IP address to those who connected to the network every time.
No additional settings are required on the user side. There are no IP address conflicts. In which VLAN we are on the network, have we already been assigned an IP address, should we give a new one, everything is done by DHCP.
DHCP will randomly assign an IP address if if this MAC address is connected, give this IP address hasnt been previously told. It is also possible to set the IP address ranges that DHCP will assign.
At the same time, options such as assign this IP range to it and assign this IP range to accounting can also be applied.
DORA Process
Discover Process:
When we connect to the network, the DHCPDISCOVER packet is sent to the entire network. If our computer has DHCP, if any, which one asks the network. The package sent to Broadcast contains the MAC address of our device.
Offer:
When this packet reaches the DHCP server, the server prepares a packet for the user to identify himself. It contains its IP address, MAC address and MAC address of the other party. We can say that I am here, if you want an IP address, I will return it immediately.
Request:
After the user receives this request, it transmits the IP to the DHCP server that it approves the assignment.
Acknowledgement:
The DHCP server then send the packet containing the IP address and other required information to the user.
Other Concepts
Scope:
On a DHCP server, this is the IP range that is allowed to be distributed to users. In this way, we can make preferences such as IP distribution between 50-150.
Exlusions:
Unlike Scope, it ensures that the specified range isnt distributed. We can make definitions like distribute all but 50-150 IP address.
Lesses:
Displays a list of IP addresses that DHCP leases.
Reservation:
To reserve a specific IP address, assign it to a specific device. For example, we can always assign the same IP address to the bosss MAC address.
Rogue DHCP Attack
If someone has set up a fake DHCP server on the network, users can return themselves when they ask who the DHCP server is. The attacker sends a spoofed DHCP packet to the other party to send the IP address he assigned himself.
Now we can say that the user is connected to the attackers DHCP server. The attacker can then monitor the network traffic of the users connected to their DHCP server and redirect them to their own page instead of the address they want to reach.
After that, attacks such as the other sides RDP, e-mail address or login on the enterprise platform with phishing attacks are completely up to the attackers imagination. It can also cause man in the middle attacks as well as network packets not reaching the target.
As a result, all packets pass through the attackers DHCP and management of the packets belongs to him. This attack is called Rogue DHCP Attack.
First, we explore the network to obtain information such as netmask, dns server and gateway. Then we need to find an unused IP address and identify it ourselves. To assign IP to newly connected devices during the attack, it can also be useful to detect idle IP ranges to av0id IP conflicts.
After the discovery phase is over, lets set eth0 on our device to an unused IP address that we already determined. This address will now belong to our fake DHCP.
Then, on the Kali machine, we will create a network sub-interface that will be used as the default gateway to route fake DHCP clients.
We will create a network sub-interface to route other devices on the network to our DHCP server and then we will set it as the default gateway.
Lets assign an IP address to our new network sub-interface, eth0:1 which is already unused. The default addresses will be good to a**** being invisible. For example, if the default path is 10.1.1.1, use 10.1.1.11 or if the default path is 10.1.1.254, use 10.1.1.251.
Now we need to allow IP forwarding of our machine. However, this setting will change when we restart the machine. In this case, remember to check these settings again.
Then we need to set the default gateway for our eth0:1 network sub-interface. We will set the actual default gateway (192.168.1.1) on the network. In this way, the packets that come to us will go through our fake DHCP server and then go to the real DHCP server. In this way, no one will be aware of the attack on the network at first glance as network traffic continues. Of course, if we want to disrupt the flow of traffic on the network, the situation is different.
With the following command, we print the route table on the screen. Set to 0.0.0.0 Genmask means that unknown traffic must be sen to the 192.168.1.1 gateway. Also in the flags value (UG), G refers to the default gateway.
Now lets move on to the assault phase. Lets open the exploit with the command msfconsole in the new terminal. We will use a module to create a fake DHCP.
Msfconsole
Lets see what we need to use with the show options command.
Remember when we first discovered the network, we took note of the idle IP ranges? We will have to use it here. We write the beginning of the IP range across dhcpipstart and end of the IP range across Dhcpipend. As you can see, this information isnt mandatory.
Then we set DNSSERVER option because users respond when requesting web pages they want to access. If users cant access their web pages, they will probably report a problem to the network administrator and our attack will be compromised.
We set DNSSERVER 8.8.8.8. Yes, we enter the local IP address of our machine in the Google DNS servers SRVHOST section and set the network mask. Again, we set net mask to the net mask of the real DHCP server to av0id problems with network traffic.
Finally, by setting the ROUTER value as we have already determined, we give the module the necessary data.
To be Continued...
Source: https://www.turkhackteam.org/siber-guvenlik/1923293-dhcp-snoopnig-nedir-part-1-realystar.html
If we connect a modem to a companys ethernet port, if we broadcast DHCP, from now on I am the new DHCP server of this network, you will come to me to get IP, what happens if we distribute IP address? Maybe you dont even need a modem for that. Enough to set up and run the DHCP server.
What is Dynamic Host Configuration Protocol (DHCP)?
When we connect to a network, an IP address must be assigned to us. Otherwise, we will be a refugee in the network we are connected to and we havent been assigned an identity. This is where DHCP comes in.
It assigns us an IP address as well as information such as netmask, gateway, DNS address. Thus, the system administrator doesnt bother to assign IP address to those who connected to the network every time.
No additional settings are required on the user side. There are no IP address conflicts. In which VLAN we are on the network, have we already been assigned an IP address, should we give a new one, everything is done by DHCP.
DHCP will randomly assign an IP address if if this MAC address is connected, give this IP address hasnt been previously told. It is also possible to set the IP address ranges that DHCP will assign.
At the same time, options such as assign this IP range to it and assign this IP range to accounting can also be applied.
DORA Process
Discover Process:
When we connect to the network, the DHCPDISCOVER packet is sent to the entire network. If our computer has DHCP, if any, which one asks the network. The package sent to Broadcast contains the MAC address of our device.
Offer:
When this packet reaches the DHCP server, the server prepares a packet for the user to identify himself. It contains its IP address, MAC address and MAC address of the other party. We can say that I am here, if you want an IP address, I will return it immediately.
Request:
After the user receives this request, it transmits the IP to the DHCP server that it approves the assignment.
Acknowledgement:
The DHCP server then send the packet containing the IP address and other required information to the user.
Other Concepts
Scope:
On a DHCP server, this is the IP range that is allowed to be distributed to users. In this way, we can make preferences such as IP distribution between 50-150.
Exlusions:
Unlike Scope, it ensures that the specified range isnt distributed. We can make definitions like distribute all but 50-150 IP address.
Lesses:
Displays a list of IP addresses that DHCP leases.
Reservation:
To reserve a specific IP address, assign it to a specific device. For example, we can always assign the same IP address to the bosss MAC address.
Rogue DHCP Attack
If someone has set up a fake DHCP server on the network, users can return themselves when they ask who the DHCP server is. The attacker sends a spoofed DHCP packet to the other party to send the IP address he assigned himself.
Now we can say that the user is connected to the attackers DHCP server. The attacker can then monitor the network traffic of the users connected to their DHCP server and redirect them to their own page instead of the address they want to reach.
After that, attacks such as the other sides RDP, e-mail address or login on the enterprise platform with phishing attacks are completely up to the attackers imagination. It can also cause man in the middle attacks as well as network packets not reaching the target.
As a result, all packets pass through the attackers DHCP and management of the packets belongs to him. This attack is called Rogue DHCP Attack.
First, we explore the network to obtain information such as netmask, dns server and gateway. Then we need to find an unused IP address and identify it ourselves. To assign IP to newly connected devices during the attack, it can also be useful to detect idle IP ranges to av0id IP conflicts.
After the discovery phase is over, lets set eth0 on our device to an unused IP address that we already determined. This address will now belong to our fake DHCP.
Then, on the Kali machine, we will create a network sub-interface that will be used as the default gateway to route fake DHCP clients.
We will create a network sub-interface to route other devices on the network to our DHCP server and then we will set it as the default gateway.
Lets assign an IP address to our new network sub-interface, eth0:1 which is already unused. The default addresses will be good to a**** being invisible. For example, if the default path is 10.1.1.1, use 10.1.1.11 or if the default path is 10.1.1.254, use 10.1.1.251.
Now we need to allow IP forwarding of our machine. However, this setting will change when we restart the machine. In this case, remember to check these settings again.
Then we need to set the default gateway for our eth0:1 network sub-interface. We will set the actual default gateway (192.168.1.1) on the network. In this way, the packets that come to us will go through our fake DHCP server and then go to the real DHCP server. In this way, no one will be aware of the attack on the network at first glance as network traffic continues. Of course, if we want to disrupt the flow of traffic on the network, the situation is different.
With the following command, we print the route table on the screen. Set to 0.0.0.0 Genmask means that unknown traffic must be sen to the 192.168.1.1 gateway. Also in the flags value (UG), G refers to the default gateway.
Now lets move on to the assault phase. Lets open the exploit with the command msfconsole in the new terminal. We will use a module to create a fake DHCP.
Msfconsole
Kod:
msf > use auxiliary/server/dhcpLets see what we need to use with the show options command.
Remember when we first discovered the network, we took note of the idle IP ranges? We will have to use it here. We write the beginning of the IP range across dhcpipstart and end of the IP range across Dhcpipend. As you can see, this information isnt mandatory.
Then we set DNSSERVER option because users respond when requesting web pages they want to access. If users cant access their web pages, they will probably report a problem to the network administrator and our attack will be compromised.
We set DNSSERVER 8.8.8.8. Yes, we enter the local IP address of our machine in the Google DNS servers SRVHOST section and set the network mask. Again, we set net mask to the net mask of the real DHCP server to av0id problems with network traffic.
Finally, by setting the ROUTER value as we have already determined, we give the module the necessary data.
To be Continued...
Source: https://www.turkhackteam.org/siber-guvenlik/1923293-dhcp-snoopnig-nedir-part-1-realystar.html
Translator: Provido
