Various attacks are emerging that target the Propellent Throng Configuration Prescript or Dynamic Host Configuration Protocol (DHCP). In any system with triple Dynamic Host Configuration Protocol (DHCP) clients, DHCP computer availability is severe. It is main for department analysts to interpret the DHCP messages that are exchanged between the DHCP server and the DHCP client, in inflict to effectively supervise, troubleshoot, and mitigate DHCP-based attacks. Moreover, when analyzing logs, identifying or correlating attack-related issues is easier for the department shrink who has a jelled apprehension of DHCP and how it functions.
In larger environments, drill instruction decision can embellish an overweening administrative job, especially for maneuverable devices that roam from one cloth to another many times each day. DHCP is a standard web prescript for dynamically distributing IP addresses automatically, and mounting other network plan parameters, specified as the subnet mask, neglect router, and DNS servers. With DHCP, computers message IP addresses and networking parameters automatically from a DHCP server, reducing the require for meshing administrators or users to manually configure these settings.
In an initiative surround, a DHCP computer is unremarkably a dedicated device; in small deployments or whatsoever fork offices, it can be organized on DHCP-capable switches or routers.
DHCP employs a connectionless serving modelling using UDP, and is implemented using the selfsame two UDP left lottery as BOOTP. In fact, DHCP is implemented as an option of BOOTP and uses BOOTP as its send prescript. UDP side numerate 67 is the goal left of a DHCP server, and UDP left confine 68 is victimised by the DHCP consumer.
Some of the most plebeian messages that are exchanged between the DHCP server and the guest are as follows:
When a computer or opposite networked instrumentality connects to a system, the DHCP computer software sends out a DHCPDISCOVER message on its localized physiological subnet over UDP opening 67, which is a broadcast communication to place useable servers.
When a DHCP computer receives a DHCPDISCOVER communication from a computer, which is an IP writing hire asking, the server force an IP instruction for the computer and makes a letting act by sending a DHCPOFFER message to the computer on UDP porthole 68. This message contains the client’s MAC tactfulness, the IP speech that the server is giving, the subnet cover, the engage time, and the IP tact of the DHCP computer that is making the substance. The request from the DHCP computer is not a warrantee that the IP accost will be allocated to the client; nonetheless, the computer ordinarily reserves the tactfulness until the computer has had a possibility to formally petition the speech.
After the guest receives a DHCPOFFER, it responds with a DHCPREQUEST communication, indicating its design to react the parameters in the DHCPOFFER. A guest can acquire DHCP offers from septuple servers, but it give support only one DHCP render.
When the DHCP computer receives the DHCPREQUEST communication from the consumer, the plan enation enters its unalterable state. The content period involves sending a DHCPACK boat to the computer. This boat includes the engage period and any remaining plan message that the computer power individual requested. At this lie, the IP design cognition is realized.
The property execution ensures that hosts that screw been enraptured or are switched off for prolonged periods do not donjon addresses that they do not use. The addresses are returned to the tact puddle by the DHCP server, to be reallocated as obligatory.
In gain to the figure most plebeian DHCP messages, you power also see opposite DHCP messages in boat captures as follows:
” DHCPNAK: A DHCPNAK is a dissenting substance from the DHCP computer. For monition, the computer sends DHCPNAK if the computer requests an writing that is already in use by another computer.
” DHCPDECLINE: If the DHCP guest determines the offered configuration parameters are bad, it sends a DHCPDECLINE packet to the server, and the computer staleness commence the holding operation again.
” DHCPRELEASE: After the client is prepared to devote up the DHCP IP communicate, it sends a DHCPRELEASE content.
” DHCPINFORM: A DHCP guest that already has an IP destination can use DHCPINFORM content to letter many content from the computer. For representation, browsers use DHCP Inform to obtain web procurator settings.
The DHCP computer does not acquire to domiciliate flat on the similar subnet where the DHCP consumer resides. Moreover, it’s meshuggeneh to bang a DHCP server on every subnet. Most initiative networks will acquire a few centralized DHCP servers. The DHCP passage medicine book as an intermediary and ensures that topical DHCP consumer requests are passed onto centralized DHCP servers. Any Bed 3 open devices such as routers or switches can function as the DHCP relay medicament.
The capital use of a DHCP passage bourgeois is to frontwards DHCP messages from the anaesthetic clients to the unlikely DHCP computer.
When a DHCP passage official receives a show packet from a contiguous consumer, it examines the giaddr land. If the business has an IP instruction of 0.0.0.0, then the DHCP passage official changes the giaddr theater in DHCP packets from cypher to the passage bourgeois IP tact and forwards the substance to the far subnet where the DHCP server is situated.
The DHCP server uses this IP tactfulness to superior an IP tactfulness association from which to administer the IP addresses to the DHCP consumer.
The turning packets from the DHCP server are direct conveyed to the relay official identified in the giaddr field. The DHCP relay factor frontward or relays the say to the DHCP computer.
If you want to supervise DHCP connection between a DHCP computer and a consumer, you can run a boat sniffing tool, specified as tcpdump or dhcpdump, on the one anesthetic system and catch DHCP reciprocation. You can also run debug commands on Cisco IOS routers and switches if they are playacting as DHCP servers or passage agents to survey DHCP traffic going to or transiting these devices.
Below is a sample
tcpdump output from a Linux machine. The
tcpdump capture shows renewals. Typically a client sends a REQUEST when the lease lifetime is 50% used up, and an ACK from the server resets the lifetime back to its full value.
Packet sniffing is enabled on the port 67 (DHCP server port) and port 68 (DHCP client port). The
–e parameter instructs the command to display the source and the destination MAC addresses. The
–n parameter instructs the command not to convert the addresses to names. The
–i parameter instructs the command to listen on the particular interface. Here,
eth0 is the name of the interface.
In the above
tcpdump output, locate the DHCP request and the reply messages between the client and the server. Finally, the client with the mac-address of 00:0c:29:1b:a3:84 is assigned with the IP address of 192.168.198.1 by the DHCP server at 192.168.198.254. This output will be useful to quickly analyze the basic communications between the DHCP server and the client.
For in-depth analysis of the DHCP packets, use the dhcpdump tool. The following is a sample
dhcpdump output from the Linux machine on the eth0 interface.
This output is more detailed than the
tcpdump output. The YIADDR field is populated with the IP address of the client, and SIADDR field is populated with the IP address of the server. Notice the multiple options field in this output; multiple options were not available in the
tcpdump output. For example, Option 53 tells the DHCP message type. The message type in this output is DHCPACK message. The DHCP client lease time in the Option 51 can also be seen.
The IP address, subnet mask, default gateway, and the DNS server are the minimal configuration parameters that are required for the DHCP client to get online. In addition to that, DHCP server provides the DNS domain name, NETBIOS name servers, and so on, which can be seen in the Options section of this output.
Apart from the configuration parameters that are mentioned in this output, DHCP server has the flexibility to provide other configuration parameters as well. For example, LWAP can use the information that is provided in the Option 43 to join the specific WLAN controllers. Similarly, IP phones and gateways can utilize the DHCP information that is provided in the Option 150to discover the TFTP server IP address for Image download. In this way, DHCP provides an expandable framework so that vendors can implement dynamic configuration for their product services.
As an analyst examining the partially captured PCAP with the DHCP packets shown below, what suspicions should you determine?
The above figure is an example of the result of using a tool that is called Yersinia to launch a DHCP attack against the DHCP server. The Yersinia tool is capable of generating DHCP DISCOVER requests using spoofed MAC address at a rapid rate to quickly exhaust the IP address pool on the DHCP server. All the DHCP clients of the victim network are starved of the DHCP resource. The attacker can then set up a rogue DHCP server on the network and perform man-in-the-middle attacks.
As shown in the Wireshark output above, a large amount of DHCP discover packets are being broadcasted out using different spoofed MAC addresses. The DHCP server (192.168.200.1) then responded with the DHCP offer packets until all the available IP addresses are exhausted.