Network Takedown Part 2: Rogue DHCP Server with DHCP Starvation and Rogue Routing
Welcome to part 2 of the Network Takedown series where we feature tutorials that take on the core functionality of a corporate network and bend them to our will.
In this tutorial we will take down our network’s legitimate DHCP server, setup our own rogue DHCP server, then send traffic to our rogue router where it can be sniffed all without the end user noticing.
Configure our rogue router in Kali. This router will be used as the default gateway option in our rogue server’s DHCP scope.
Use pig.py to take down the legitimate network DHCP server by using DHCP starvation. For those of you who don’t know, DHCP starvation is the process by which the attacking client, using pig.py in this case, requests all of the available IP addresses from the DHCP server leaving none leftover for new clients on the network to use. This is a highly effective attack as most DHCP servers typically run their DHCP leases for multiple hours if not multiple days, thus requiring you to maintain this attack infrequently.
Setup a DHCP server and router on our on our Kali machine connected to the target network and start handing out addresses with the default gateway set to our recently setup router.
Sniff all the network traffic of our DHCP clients as it passes through our router.
A machine running Kali Linux.
A victim DHCP server. I will be using Server 2008.
A victim client machine.
A network switch.
An Internet connection with router (optional).
Only execute this attack on networks you own or are givin permission to pen test against. As with any attack there is always the risk of network function interruption. In the case of this attack you will be forcing the network traffic of your rogue DHCP clients through your Kali machine while sniffing that same network traffic. Needless to say things have the potential to get a bit slow depending on the speed of your Kali Machine. Additionally, you will be high-jacking all of the available IP addresses leases of your victim DHCP server. When you shut down your rogue DHCP server it will leave any new host to the network out in the cold with no new DHCP addresses available.
The first thing you will want to do is a little network recon. Set your Kali boxes eth0 to DHCP and find out that address space the network is using as well as its netmask, DNS server and default gateway. Additionally you may want to do a basic non-intrusive network sweep to find any large gaps of unused IP addresses you can use for your rogue DHCP server. Write all this information down as you will need it later.
Once your recon is complete set the eth0 on your Kali machine to an unused address you discovered from your sweep earlier. This is important as we will be using this address for our rogue DHCP server later.
Next we will create a network sub-interface on the Kali machine to be used as the default gateway to route our rogue DHCP clients through.
Set the IP address on the new eth0:1 interface to another currently unused ip address. Ideally we would like to use an address that a quick glance looks similar to the actual default route in order to obfuscate the change to anyone who might be looking. For example if the default route is 10.1.1.1 use 10.1.1.11 or if the default route is 10.1.1.254 use 10.1.1.251.
From here we will need to allow ip forwarding on our Kali machine, with the following command.
Note: The sub-interface and IP forwarding will disappear after a reboot.
Next we will need to set the default gateway for the eth0:1 sub-interface. The default gateway should be set to the network’s legitimate default gateway, 192.168.1.1 in our case. In addition to being the default gateway for our Kali machine, this default gateway will also function like a default route to any routable traffic coming into the 192.168.1.11 interface. This means any host that has 192.168.1.11 set as its default gateway will hit 192.168.1.11 and have its traffic immediately forwarded onto the legitimate gateway of 192.168.1.1 allowing us to sniff it as it passes through. By forwarding all of the traffic from our Kali based router to the legitimate router this keeps the users traffic flowing and none the wiser that they are under attack.
Issuing a route -n command will spit out the route table. A destination of 0.0.0.0 implies any unknown traffic should be sent to the gateway of 192.168.1.1. Also note under flags where it shows a UG, the G implies the default gateway.
In another Terminal window/tab load up the metasploit console. We will be using metasploit for its built-in dhcp module, which will act as our rogue DHCP server.
Issuing the show options command will give us a list of the optional and required options that we must set in order to run our rogue DHCP server.
The dhcpipend option is the last IP address that you want to use in your DHCP scope while dhcpipstart is the first IP address you want to use in the range. I set these to a block of unused IP addresses that I had discovered from my scan earlier. Next, you will want to set the dnsserver option to whatever the corp DNS server. If this was not set to the corp DNS server you may draw unwanted attention as web pages internal and external stop resolving to the unwitting clients using your rogue DHCP server. Next up we set the srvhost to our Kali machines local IP address of 192.168.1.10. We are required to set the netmask as well, I recommend setting this netmask to the same netmask of the legitimate network to avoid any routing or access list issues down the network. Finally, we set the router address, which will be the clients default gateway setting. This should be set to the IP address of the sub-interface we created on this Kali machine and is what allows for the man-in-the-middle attack.
When the options are set, issue the show options command again and your options should look something like mine below. Do not start the DHCP server at this time.
Before we kick off our attacks let’s take a look at what our legitimate DHCP server and a client look like. At this point the server only has 2 leases and the client has legitimate IP address information.
Open an additional Terminal window to be used for the DHCP starvation attack. In the terminal window issue the pig.py eth0:1 command, this starts the DHCP starvation attack consuming all of the legitimate DHCP servers available IP addresses.
If we take a look back at the legitimate DHCP server we can see that all of the leases have been consumed, except for those that previously existed.
Once pig completes switch back to the metasploit terminal window and execute the run command. This starts rogue DHCP server and any new clients connecting to the network will pull an address from your rogue DHCP server. Additionally because of our DHCP starvation attack you will have no competition from the legitimate DHCP server.
Once we introduce a new client to this environment it will pull its IP address information from our rogue DHCP server and all network traffic bound for the internet or another internal VLANs will transfer through our Kali machine.
At this point you can start to capture the traffic flowing from your rogue DHCP server clients as it passes through your Kali machine on its way to other networks. In my case, I used ettercap to capture some port 80 traffic coming from a victim machine.
Thanks for reading and feel free to check out part 1 of our Network Takedown series, CAM Table Overflow.