November 3, 2021
DHCP is an essential Windows networking protocol and a favorite among network admins. Let’s go over the basics of DHCP allocation and review common DHCP Spoofing techniques. Stay tuned for part 2 in this series for some more advanced DHCP pitfalls and less-commonly known caveats.
DHCP (Dynamic Host Configuration Protocol) is an application layer network management protocol that provides a quick, automatic and central system for the distribution and assignment of IP addresses and TCP/IP configuration information for clients in a network.
DHCP can be used to assign subnet mask information, default gateway IP addresses, domain name system (DNS) addresses, and more. Another feature of DHCP configurations is that they are time-bound by the DHCP Lease Time, which determines how often they will need to be renewed.
Before we move on to describe DHCP spoofing and poisoning techniques, let’s review the basic workings of the DHCP networking protocol.
In a normal scenario, when a client first connects to a new DHCP network, the process is as follows:
The “classic” scenario we just described can take many variations. Here’s a short list of a few other possible vectors:
Needless to say, the DHCP protocol is a powerful network configuration tool that can simplify life for network administrators. The problem arises when unsuspecting network administrators are not well aware of all that makes the DHCP protocol susceptible to attack.
By default, the DHCP protocol uses no form of authentication and is sent on broadcast, so potentially any device on the network could receive and possibly tamper with the messages. Let’s consider what could happen if an attacker were to combine attacks – for example, DHCP starvation and Rogue DHCP – to launch a Man-In-The-Middle attack (MITM).
In a DHCP starvation attack, an attacker sends the DHCP server multiple DHCPREQUEST messages with spoofed source MAC addresses within a short time span in order to deplete the server’s pool of available IP addresses and prevent a race condition. The “starved” DHCP server will not respond to new DHCP requests until a new address becomes available.
A DHCP starvation attack sets the stage for the attacker to pass himself off as the DHCP server and send out spoofed messages to trick other clients on the network.
Now the attacker can set up his own rogue DHCP server, listen for incoming broadcast requests, and send out spoofed responses with malicious configurations. Usually, the attacker will aim to set himself as the DNS server and default gateway for the clients.
The attacker will open port 53 on his machine for DNS activity, so that every DNS resolution request will reach his machine, allowing him to choose when to answer with his own hostname.
Running a penetration test is the only sure way to test your network’s vulnerability to DHCP spoofing attacks. A simple, quick, and automated way to run such a pen test in a safe and controlled environment is to use an automated penetration testing platform, such as Pentera.
In a forced authentication scenario, Pentera – if you’re lucky, or a savvy attacker, if you’re less lucky – aims to obtain the victim’s NetNTLM hash. Here’s how it can happen –
Once attackers have obtained NetNTLM hashes, their options for further exploiting the network and chances of success are staggeringly high. Still, even if you’ve already disabled NTLM authentication, that’s great, but it certainly doesn’t mean you’re in the clear. Stay tuned for the next part in this series to learn how DHCP misconfigurations can be exploited to expose port 139 and get some expert best practice recommendations.
Unfortunately, there isn’t a simple fix that can hermetically block DHCP spoofing. Protecting your network involves a methodology known as DHCP snooping, a set of techniques aimed at reducing and mitigating the impact of DHCP spoofing attacks. It can be configured on LAN switches to prevent malicious or malformed DHCP traffic and block rogue DHCP servers.
DHCP snooping involves monitoring your DHCP traffic. This can be done by compiling information on hosts which have successfully completed a DHCP transaction in a database of “bindings” and use security or accounting features to monitor the traffic.
We hope you’re now ready to review your DHCP policies, apply DHCP snooping policies in your network systems and devices, and validate your security posture for compliance.
Ivanti Ground Zero On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting its Ivanti Connect Secure and Ivanti Policy Secure products in supported versions (9.x and 22.x). Successful exploitation can result in authentication bypass and command injection, leading to unauthenticated remote code execution and lateral movement inside the victim’s network. Then on […]
WebLogic is a popular enterprise middleware tool that orchestrates the interaction between backend systems and frontend clients. This makes it a valuable tool for attackers, who can exploit it to access and influence a wide range of organizational applications. In this blog post, we explore how to install a persistent backdoor on WebLogic Server. We […]
Today’s security leaders must manage a constantly evolving attack surface and a dynamic threat environment due to interconnected devices, cloud services, IoT technologies, and hybrid work environments. Adversaries are constantly introducing new attack techniques, and not all companies have internal Red Teams or unlimited security resources to stay on top of the latest threats. On […]