- 21 Eki 2015
- 477
- 1
First of all, Hello, I will tell you the last part of our DHCP Snooping topic.
For those who havent read Previous Section: https://www.turkhackteam.org/siber-...opnig-nedir-part-1-realystar.html#post9103100
We enter the local IP address of our machine in the SRVHOST section and adjust the network mask. Again, we set the net mask to the net mask of the real DHCP server to av0id problems with network traffic. Finally, by setting the ROUTER value as we have already determined, we give the module the necessary data.
Before starting our DHCP server, lets check what is happening on the network and the status of the DHCP server.
Two IP addresses are currently leased from the DHCP server. Lets lease the IP range we set for the fake DHCP server we are going to create. Then we will distribute these IP addresses to users who request IP from us. First, open another terminal to lease IP addresses collectively. We will get the leasable IP addresses by running the following command:
If we take a last look at the DHCP server, we can see that all IP addresses are leased and have random names. Those names may draw attention, perhaps there is a way to give realistic names. But lets focus on the attack now.
Now that we have plenty of IP addresses to distribute and a fake DHCP server waiting to be alerted to work, we are ready to attack. You can return to the exploit tab and enter the run command.
Now, the people who want IP addresses will stop by, because we are actually registering to DHCP, the network admin wont be able to easily understand the situation, the traffic wont fail unless we do it deliberately and we will have all the internet packages. Internal network, external network, web pages, we can track everything and change packets.
Good method...
Lets check if DHCP is us or not?
In the following image, an image of a request to the 80 port, i.e web address, is displayed.
Detection of fake DHCP Broadcasts on the Network
Wireshark
For this, it is enough to follow the packets on the network. Wireshark is the ideal tool for this. As a result, we use it not only for attacks but also for detecting errors on blue team and network. By typing bootp.type == 2 in the search section, we ensure that only DHCP and ACK packets are listened. Only the DHCP server sends these packets. If there is an IP address other than your DHCP server, we can say that it is a fake DHCP server.
Lets give another example. We see a DHCP traffic in the below. f0:de:f1:a3:5d:d6 MAC address, rookie of our network, the only new user connected. 00:18:0a:40:05:34 is the MAC address of the real DHCP on the network. In accordance wit the DORA process, our user called the DHCP server with Discover and got an IP address by contacting it.
The output of wireshark below is slightly longer. The device with the MAC address 00:18:0a:10:8b.e0 appears to have frequently been involved in communication between the DHCP server and the device that wants to receive IP. It was involved in the DORA process and sent DHCK NAK (Negative Acknowledgement) packages. So it answered the IP demands negatively. Since there is no real DHCP server on the network that does this, we have detected that someone has put the fake DHCP server on the network. 00:18:0a:10:8b.e0 MAC address is our fake DHCP server.
Tcpdump
In Tcpdump, we follow the UDP packets that reach the 68. port of the destination from the 67. port of the source. It is possible to do this with command below.
DHCP Snooping Definition and Configuration
Cisco has developed DHP Snooping to prevent these attacks. In this method, DHCP broadcasting is allowed only from certain point. Ports are defined as reliable and unsafe. While DHCP broadcasting is allowed through secure ports, DHCP packets from unsafe ports are discarded. For this, DHCP snooping feature must be turned on for the corresponding switches. We can do this with the following command:
To disable the feature, use the following command:
After activating the feature, we need to specify which VLANs will be valid and configure VLANs.
Then we need to determine the reliable ports. For this, we pass to the interface that e have chosen to indicate that it is reliable.
To check our DHCP snooping settings, we use the following command. By adding binding at the end, we can find out which IP address is assigned to which MAC address.
No one will be able to deploy IP except our DHCP server anymore. But there is still another problem. Users can consume the IP pool by constantly requesting IP addresses from the DHCP server. We have to prevent that, too.
For this reason, it makes sense to set a limit on all insecure ports. For this, lets state how many packets are sent per second to the DHCP server. At least to packets per second so the user can get IP.
As we mentioned earlier, the device asking who DHCP was then sending a packet confirming that it wanted an IP address. If the number of outgoing packets per second is less than two, the machine cant receive IP.
If the user sends more than two DHCP packets per second, the extra packets are discarded and the port is blocked. If needed, we can also limit this to reliable ports.
Unreliable ports can no longer assign requests repeatedly. But they can still finish IPs by sending packets slower. For this reason, we can specify the maximum number of IP addresses that can be requested from a port at the same time.
Source: https://www.turkhackteam.org/siber-guvenlik/1923455-dhcp-snoopnig-nedir-part-2-realystar.html
For those who havent read Previous Section: https://www.turkhackteam.org/siber-...opnig-nedir-part-1-realystar.html#post9103100
We enter the local IP address of our machine in the SRVHOST section and adjust the network mask. Again, we set the net mask to the net mask of the real DHCP server to av0id problems with network traffic. Finally, by setting the ROUTER value as we have already determined, we give the module the necessary data.
Before starting our DHCP server, lets check what is happening on the network and the status of the DHCP server.
Two IP addresses are currently leased from the DHCP server. Lets lease the IP range we set for the fake DHCP server we are going to create. Then we will distribute these IP addresses to users who request IP from us. First, open another terminal to lease IP addresses collectively. We will get the leasable IP addresses by running the following command:
Kod:
--pig.py eth0:1--
If we take a last look at the DHCP server, we can see that all IP addresses are leased and have random names. Those names may draw attention, perhaps there is a way to give realistic names. But lets focus on the attack now.
Now that we have plenty of IP addresses to distribute and a fake DHCP server waiting to be alerted to work, we are ready to attack. You can return to the exploit tab and enter the run command.
Now, the people who want IP addresses will stop by, because we are actually registering to DHCP, the network admin wont be able to easily understand the situation, the traffic wont fail unless we do it deliberately and we will have all the internet packages. Internal network, external network, web pages, we can track everything and change packets.
Good method...
Lets check if DHCP is us or not?
In the following image, an image of a request to the 80 port, i.e web address, is displayed.
Detection of fake DHCP Broadcasts on the Network
Wireshark
For this, it is enough to follow the packets on the network. Wireshark is the ideal tool for this. As a result, we use it not only for attacks but also for detecting errors on blue team and network. By typing bootp.type == 2 in the search section, we ensure that only DHCP and ACK packets are listened. Only the DHCP server sends these packets. If there is an IP address other than your DHCP server, we can say that it is a fake DHCP server.
Lets give another example. We see a DHCP traffic in the below. f0:de:f1:a3:5d:d6 MAC address, rookie of our network, the only new user connected. 00:18:0a:40:05:34 is the MAC address of the real DHCP on the network. In accordance wit the DORA process, our user called the DHCP server with Discover and got an IP address by contacting it.
The output of wireshark below is slightly longer. The device with the MAC address 00:18:0a:10:8b.e0 appears to have frequently been involved in communication between the DHCP server and the device that wants to receive IP. It was involved in the DORA process and sent DHCK NAK (Negative Acknowledgement) packages. So it answered the IP demands negatively. Since there is no real DHCP server on the network that does this, we have detected that someone has put the fake DHCP server on the network. 00:18:0a:10:8b.e0 MAC address is our fake DHCP server.
Tcpdump
In Tcpdump, we follow the UDP packets that reach the 68. port of the destination from the 67. port of the source. It is possible to do this with command below.
Kod:
tcpdump -i eth0 -l* udp src port 67 and udp dst port 68¨
DHCP Snooping Definition and Configuration
Cisco has developed DHP Snooping to prevent these attacks. In this method, DHCP broadcasting is allowed only from certain point. Ports are defined as reliable and unsafe. While DHCP broadcasting is allowed through secure ports, DHCP packets from unsafe ports are discarded. For this, DHCP snooping feature must be turned on for the corresponding switches. We can do this with the following command:
Kod:
Switch> enable
Switch# conf t
Switch(config)# ip dhcp snooping
To disable the feature, use the following command:
Kod:
(config)#no ip dhcp snooping
After activating the feature, we need to specify which VLANs will be valid and configure VLANs.
Kod:
Switch(config)#ip dhcp snooping vlan 1
Then we need to determine the reliable ports. For this, we pass to the interface that e have chosen to indicate that it is reliable.
Kod:
Switch(config-if)#ip dhcp snooping trust
To check our DHCP snooping settings, we use the following command. By adding binding at the end, we can find out which IP address is assigned to which MAC address.
Kod:
Switch#sh dhcp snooping [binding]
No one will be able to deploy IP except our DHCP server anymore. But there is still another problem. Users can consume the IP pool by constantly requesting IP addresses from the DHCP server. We have to prevent that, too.
For this reason, it makes sense to set a limit on all insecure ports. For this, lets state how many packets are sent per second to the DHCP server. At least to packets per second so the user can get IP.
As we mentioned earlier, the device asking who DHCP was then sending a packet confirming that it wanted an IP address. If the number of outgoing packets per second is less than two, the machine cant receive IP.
Kod:
Switch(config)#interface fastEthernet 0/2
Kod:
Switch(config-if)#ip dhcp snooping trust limit rate 2
If the user sends more than two DHCP packets per second, the extra packets are discarded and the port is blocked. If needed, we can also limit this to reliable ports.
Unreliable ports can no longer assign requests repeatedly. But they can still finish IPs by sending packets slower. For this reason, we can specify the maximum number of IP addresses that can be requested from a port at the same time.
Kod:
Switch(config)#interface fastEthernet 0/2
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 3
Source: https://www.turkhackteam.org/siber-guvenlik/1923455-dhcp-snoopnig-nedir-part-2-realystar.html
Translator: Provido