MITM/Rogue DHCP

From charlesreid1

Revision as of 03:25, 20 June 2026 by Admin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

A rogue DHCP server attack involves an attacker setting up their own DHCP server and responding to DHCP requests before the local DHCP server, thus controlling the DHCP process.

Abused handshake procedure:

  • Client to DHCP server: DHCP discover (broadcast) <--- this step is same as before
  • Rogue DHCP server to Client: DHCP offer (unicast) <--- rogue DHCP server responds first
  • Client to Rogue DHCP server: DHCP request (broadcast)
  • Rogue DHCP server to Client: DHCP ack (unicast)

Why is this useful?

This type of attack gives you total control over the network configuration of a sheep. This makes it easy to do what you'd like - sniff traffic, tamper with traffic, or create a denial of service. As an example, suppose a sheep and a rogue DHCP are on the same network, 192.168.10.X. The sheep sends out a DHCP request packet, broadcast to all ports. The rogue DHCP responds. The DHCP request is sent from the sheep, and the rogue DHCP server responds with an acknowledgement and assigns the following network configuration: 

IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5
Lease Time: 10 day

What's wrong with this picture?

  • First, the IP address and default routers are a different set of IP addresses than the rest of the network. This means the attacker is performing a denial of service on the entire IP layer.
  • The attacker is the gateway, meaning all network traffic to and from the client passes through the attacker.
  • The attacker is the DNS server, meaning they can monitor and/or tamper with DNS requests from the client, and redirect them to, e.g., fake versions of various websites.

Countermeasures:

  • DHCP snooping
  • maintain connection to trusted DHCP
  • identification of new DHCP servers


Flags


Defcon.png
monkey in the middle attacks
in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.

MITM

Wireless Attacks: MITM/Wireless

Wired Attacks: MITM/Wired


Layer 1 and 2 MITM Attacks:

MITM/Layer 1 and 2

Network Tap: MITM/Wired/Network Tap

Evil Twin Attack: Evil Twin  · MITM/Evil Twin


Layer 3 and 4 MITM Attacks:

MITM/Layer 3 and 4

Traffic Sniffing: MITM/Sniffing

ARP Poisoning: MITM/ARP Poisoning

Traffic Injection/Modification: MITM/Traffic Injection

DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

DHCP Attacks: MITM/DHCP

WPAD MITM Attack: MITM/WPAD

Port Stealing: MITM/Port Stealing

Rushing Attack: MITM/Rushing Attack

Attacking HTTPS: MITM/HTTPS


Layer 5 MITM Attacks:

Session Hijacking: MITM/Session Hijacking


Toolz:

Ettercap  · Bettercap  · MITMf  · EvilFOCA

Wireshark  · Aircrack

Dsniff  · Arpspoof  · Dnsspoof

SSLSniff  · SSLStrip  · Frankencert

Driftnet  · Karma


MITM Labs: {{MITMLabs}}


Category:MITM  · Category:Attacks  · Category:Kali Attack Layers

Template:MITMLabs  · Template:MITMFlag

Flags  · Template:MITMFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=MITM/Rogue_DHCP&oldid=30695"