DHCP Attacks and Defense Strategies

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey welcome back to the channel everybody this is kevin and in this week's video we're going to take a look at how an attacker might launch a d8cp attack against our network for example they might flood our dhcp server with a bunch of dhcp discover broadcast messages to the point where they've depleted the pool of ip addresses that our server was going to be handing out we're going to see how they might launch that attack and how to protect ourselves from that attack and also we'll see how to protect ourselves from a rogue dhcp server being added to the network and this video content is from our upcoming certified ethical hacker course and please do not use any of this knowledge in any unauthorized way the demos in this video are performed on a local network that i have which is isolated from the rest of my network and if you enjoy this content please do me a favor click the like button down below subscribe and click the bell notification so you'll know when we release our next video now join me as we take a look at d8cp attacks in this video we want to consider a couple of d8cp attacks but first let's review the operation of dhcp d8cp allows an endpoint like a laptop or a smartphone to dynamically obtain an ip address and associated information such as a subnet mask a default gateway a dns server and the way it works when a device comes up consider laptop a on screen it's going to send out a discover broadcast saying hey are there any dhcp servers out there and if on that subnet we have one or more d8cp servers they will all respond with an offer message saying yes i'm a dhcp server feel free to use me for your ip address needs so it's going to respond with an offer now a couple of things to note here number one when that discover broadcast went out did you notice what happened when it went down to the router from switch one it was dropped a broadcast does not travel through a router that's going to be an issue for laptop b in a moment but currently laptop a is on the same subnet as the dhcp server so we're all good there also i want you to know that this back and forth process we're doing it's a four-step process and i want to give you a memory aid for that we've already had the discover which is the broadcast the offer message came back to the mac address sending out that discover frame laptop gets that offer and now we can direct the request using unicast directly to 192.168.1.2 in this case and it says yes i would like to request ip address information and then the dhcp server sends that ip address information inside of an acknowledgement message now here's the memory aid i wanted to give you and you see laptop a it just got assigned 192.168.1.100 with a 24 bit subnet mask notice the four steps discover offer request acknowledgement the memory aid i'd like to offer you is dora the explorer now when my daughters were little they used to watch that nickelodeon show dora the explorer with map and backpack if you remember that well i think of dora whenever i think of dhcp because that spells out each of the messages in this exchange the diandora reminds me of the d and discover the oendora reminds me of the owen offer r reminds me of request and a reminds me of acknowledgement d-o-r-a discover offer request acknowledgement but now let's consider laptop b it does not have a dhcp server on its subnet so when it sends out its discover broadcast what's going to happen well that broadcast is going to be dropped by the router how do we fix that well we can configure that router as a d8cp relay agent sometimes people call that an ip helper configuration but with that configuration in place when the router receives very specific broadcast frames including d8cp it says oh yeah i'm going to forward this to a configured destination so we go into the router and we configure it to forward those broadcasts to 192.168.1 so the discover broadcast goes into the router it gets converted into a unicast going out to the server and it comes back with the offer message now laptop b can communicate with that dhcp server saying yes i would like to request ip address information and the server responds with that information and laptop b in this case is assigned an ip address of 172.16.1.100 and that's the operation of dhcp the dynamic host configuration protocol now let's consider how an attacker might attack d8cp because that dhcp server it's only got so many ip addresses to hand out it's called a pool of addresses now it might have a pool for one subnet and another pool for another subnet but it's a finite number of ip addresses what if the attacker requested a bunch of ip addresses from the corporate dhcp server it could deplete that pool and starve out any other clients trying to get ipdress information because the attacker consumed all of them and i'm going to show you in a moment a demo using a utility called yersenia that comes built in with kali linux where the attacker can send out a dhcp discover broadcast and then another and another it can send out hundreds and thousands of these dhcp discover messages and it can allocate all of the ip addresses available in that pool from the dhcp server once that corporate dhcp server is no longer of any use somebody coming on to the network like the victim's laptop on screen they would not be able to get ip address information from the dhcp server so what an attacker might do at this point is introduce their own server a rogue dhcp server now when the victim's laptop sends out that discover message saying hey are there any dhcp servers out there it's only going to be answered by the rogue d8cp server because the corporate dhcp server is out of ip addresses and that rogue dhcp server might have told the victim to go to a specific dns server to look up a name and that could be a rogue dns server we could be redirecting users to an authentication page that looks like the normal authentication page that they would use on a day-to-day basis but it's really a page that the attacker set up we could have them go to the attacker's machine as their default gateway so the attacker could capture that traffic and then forward it on so the victim did not suspect anything but here the victim's laptop might be sent down to the attacker who fords it out to the internet that's definitely a concern the question is how do we prevent this from happening well the first thing we want to do is call the port security with port security we can limit the number of mac addresses and we discussed this in a prior video but we can limit the number of mac addresses appearing on a single port that's one thing we could do that way that port that the attacker connects into is they're trying to send out their thousands of dhcp discover broadcasts each of which are using a different mac address it's not going to be allowed because they will very quickly reach their maximum number of allowed mac addresses on that port and they will be unable to starve out that d8cp server but still we have an issue even without depleting the pool of ip addresses from the corporate dhcp server because we've enabled a port security the attacker could still introduce their own rogue dhcp server because a percentage of the time that rogue dhcp server it's going to respond with an offer message before the legitimate corporate datp server responds so in a case like that and it will happen a percentage of the time depending on network conditions depending on how busy the corporate dhcp server is but a percentage of the time the rogue dhcp server is going to be handing out ip address information even though we did not starve out the corporate dhcp server how do we address that well i'm going to show you in this video how to turn on a feature called d8cp snooping where the switch and i'm going to be using a cisco catalyst switch but we're going to see how that switch can snoop it can eavesdrop in on the exchange of dhcp information and we can say which ports are trusted and untrusted and a trusted port will allow a dhcp offer message to come into that port so i'm only going to allow the port coming from our legitimate dhcp server to receive an offer message that's going to be trusted everything else is going to be untrusted that way when the victim sends out that discover broadcast saying hey are there any dhcp servers out there the rogue server is going to come back with its offer and it's going to be dropped because it's going into an untrusted port while the victim's laptop and by the way they're no longer a victim now they're going to accept the appropriate offer message from the corporate dhcp server so let's go out to our live gear see how an attacker might launch such an attack and how we can protect ourselves by configuring both port security and d8cp snooping here we're sitting on a router r1 in this topology and router r1 is configured as a d8cp server we can see if it's handed out any ip addresses by doing a show ipd8cp binding command and it's handed out a few we can see how many addresses it can hand out by doing a show ipd8cp pull command and it says we've currently leased three addresses but we have 100 that we have available to give out oh by the way if you're curious how i set up a cisco router as a d8cp server let me show you that really quickly i'll do a show run pipe to section dhcp and here i'm excluding a couple of ranges of addresses which only allow me to give out 100 addresses i give this ip dhcp relay information trust all command and that command is going to be required for d8cp snooping to work appropriately for us later on in this demo and then i create a pool or a scope of ip addresses i'm giving out addresses in this network here's my default gateway here's my dns server oh and you can ignore this one this line came from an interface that's not part of my server configuration i was just telling one of my interfaces to get its ip address via dhcp so that's not part of the server configuration let's go over to wireshark and i'm going to filter for just dhcp messages and let's start we'll just be capturing those dhcp messages and let's go over to kali linux i'll get logged in and let's open up a terminal and i'm going to be firing up yersenia i'll do sudo yersinia space minus capital g and the minus capital g that lets it run in graphical mode and i'll say okay i'm fine with the alpha version let me maximize this and i want to launch an attack from yersenia where i'm going to be sending out just a bunch of dhcp discover broadcasts so i'm going to say launch attack i'll click the dcp tab and i want to send discover packets and notice this is checked under dos because we're launching a denial of service attack we're going to deny dhcp services from the legitimate dhcp server by using up all of its ip addresses i'm going to say okay and just like that we're starting to send we've already sent thousands of packets out i'm going to say list attacks and i'll stop that attack that should have been sufficient let's go over to router r1 and see how many addresses it has now if i do a show ipd8cp pull look at this it says that i have given out 99 addresses and the reason it says 99 instead of the 100 is that one of the ip addresses in that range it was already assigned to a device so it didn't want to create a conflict but we're out we have no more addresses to assign in fact i can do a show ipdcp binding and we can see all of those different bindings that have been set up yikes what an attacker could do now is they could add their dhcp server to the network and clients trying to get ip address information they would get it from the rogue dhcp server and possibly receiving dangerous information as part of that ip address information let's go over to take a look at wireshark and we see all these discover messages that we received during that very brief attack we sent thousands of discover messages just in a few seconds now let's fix this issue that we're dealing with first i'm going to clear out all the bindings on my dhcp server i'll say clear ipdhcp binding star now if i do a show ipd8cp pool i have no least addresses now i do have a couple of legitimate endpoints that have ip address information that they had already been assigned let me renew those i'll do a renew dhcp lease and here's another machine i'll renew my lease now let's see if router r1 knows about any bindings yeah those are the two machines that i just refreshed and got my dhcp lease from now let's set up port security over on switch sw1 first let's take a look at the mac address table as it exists right now we're probably about to fill up the mac address table on this switch if we haven't already let's do a show mac address hyphen table and we just have page after page after page of dynamic mac addresses so let's clear that out let's say clear mac address table dynamic the dynamically learned mac addresses let's clear those out now when i do my show mac address table it should be a lot tamer than it was a moment ago that looks good now let's set up port security i'm going to go into global configuration mode on our switch and i'm going to set this up for all of my ports all 10 ports i'll say interface range gigabit 0 1 10 and i've not turned on port security yet i like to set up my parameters before turning it on because when i first turn on port security it limits me to a single mac address so i might be shut down before i even get it set up so i want to set up all the parameters before turning it on for all of these ports i'm going to say the switchboard mode is access you have to be an access port to use port security i'll say the switch port port security maximum number of ip addresses or rather mac addresses it's going to be let's say five and i'll say switch port port security what are we going to do in response to a violation when we go over five mac addresses well i could say protect which is going to allow the five that are allowed the first five unless i specify them but it's not going to make a record of it it's not going to notify anything it's not going to increment a counter restrict is very similar to protect but it will increment a counter that we'll see shutdown is the default and it's very aggressive it says if there's a violation something's up we need to shut this port down and so we do i'm going to set it to something a bit tamer than shutdown i'll set it to restrict now i'll turn on port security switch port port hyphen security enter so it is now turned on i can say show port hyphen security and we can see the mac addresses learned off of our different ports let's go back to kali linux and launch that attack again stop and restart our packet capture so we can see all those discover broadcasts once again i'll say launch attack sending a bunch of discover packets okay we'll give it a few seconds that should be long enough list attacks let's stop it quit how does wireshark look yeah look at that hundreds or thousands of discover messages have we depleted our pool let's do a show ip dhcp binding and see no not at all look at that those are the two that we learned earlier if i do a show ipd cv pool i've only given out a couple of addresses so things are looking good there now if i go over to my switch you're going to see that there has been some port security violations going on let's do a show port security again and we'll see that on gig 0 slice 2 we learned the maximum number of mac addresses it's five but look we had over four thousand violations but it protected us from those violations excellent but even with port security in place we still have an issue where an attacker might attach their own dhcp server to the network and the percentage of the offers coming back to the client that was just added to the network a percentage of those they're going to come from that rogue dhcp server let's prevent that from happening adding a layer of security by enabling dhcp snooping i'm going to say that i only trust port gig zero slice one on this switch because that's connected to my legitimate d8cp server so let's go into global configuration mode and i'll go into interface gig zero slash one i'll say i want this to be trusted i'll turn that on before i actually enable d8cp snooping ipdhcp snooping trust then in global configuration mode i'll turn on d8cp snooping d8cp snooping and then i want to enable it for vlan 1. all my ports belong to vlan 1. now if i say show ipd8cp snooping you can see that we're trusting offer messages coming in from gigabit zero slash one now i'm going to renew my dhcp lease on those two machines again here in the background all right those are renewed now and the reason i wanted to renew them is i want to show you something else that d8cp snooping is doing not only is it blocking offer messages coming in on untrusted ports it's actually building a table it's building a mapping table of ip addresses and mac addresses and what ports they belong off of let me show you i'm going to do a show ipd8cp snooping binding command and for those two machines that i just renewed their leases look at that we see their mac address their ip address their interfaces and that's important because it can be used by another feature that we're going to discuss in our next video it's called dynamic arp inspection that's going to be able to drop any rplies that are not consistent with the information that's in this table but we'll go ahead and wrap up this video where we've seen how to protect ourselves from a dhcp starvation attack and from the addition of a rogue dhcp server [Music] you

Info

Channel: Kevin Wallace Training, LLC

Views: 3,313

Rating: undefined out of 5

Keywords: ethical hacker, ethical hacking, certified ethical hacker, ceh, cehv11, cisco, CCNA, CCNP, Cisco Security, 200-301, 350-401, CCNP Enterprise, #kwtrain

Id: 4yuT5KR7TRc

Channel Id: undefined

Length: 19min 20sec (1160 seconds)

Published: Wed Sep 22 2021