Tuesday, 3 November 2015

DHCP Protocol And Its Vulnerabilities

Its been a while since I have posted anything. This post and next one will be a part DHCP Spoofing Attack. I want to explain the theory and application of a wonderful experiment i have performed recently. This post is strictly dedicated for theory and next one will be explaining the practical side. In this post we will be going through the working of DHCP protocol. We will also see why the protocol is vulnerable and how a malicious attacker can accomplish an MITM attack.

You might have connected to some networks and might have done configuring the network properties manually. These are the cases where DHCP server is not present. DHCP is used to automatically obtain the network configuration rather than manually setting them by the user.

DHCP stands for Dynamic Host Configuration Protocol. On the first time you are connecting to a network your system wont have an IP address, what it does is broadcast a DHCP DISCOVER packet to the network. Now once the DHCP server receives the packet it will allocate an unused IP address for you and sends it back along with other network details like Subnet Mask, DNS, Default Gateway etc. Then your system again broadcasts a DHCP REQUEST packet for fixing the received IP address and other details. To this the DHCP server responds with a final DHCP ACK. Now on, the system will use the newly obtained IP address and other network properties for communication. If you have connected to the network earlier you system might start with the DHCP REQUEST packet instead, with all the configuration of the previous connection.

The real problem with the above scenario is that all the packets are send in plain text, anybody listening on the network can see what is happening. In the case of wireless networks all the packets are sent in the air free to be captured. Now what an attacker can do is, he can listen to the network for DHCP discover packets and once he receives one intended for the DHCP server he can forge fake replies, if his reply reach the client first it will be accepted. Now further the attacker can send fake network details to the client, the most important will be the gateway as all the traffic to the internet will be sent to the gateway. What the attacker will do is send his address as the gateway address along with wrong value for DNS, probably his address itself. Once the victim accepts these details all the packets will be sent to the attacker thinking that he is the original gateway. Further on the attacker can do anything. He can forward the packets to the original gateway, he can drop them, reply back or anything a man in the middle is capable of. These type of attacks are known as DHCP spoofing attacks and are yet to be fixed on many networks. Tools like ettercap makes these attacks very easy to perform.

You can use softwares like wireshark and filter for BOOTP packets to analize and learn more about the DHCP protocol. In fact here is a wireshark capture for you. You can download it and open in wireshark to see the packets. In our next post we will see how to accomplish this attack and how to increase the potency of this attack by coupling it with other attacks like phishing.