Flaws within the Dynamic Host Configuration Protocol
::::::::::::::::::::::::::::::::::::::::::::::::::::
This paper highlights some of the problems with the Dynamic Host Configuration Protocol (DHCP) such as denial of service, how to perform a man in the middle attack and also how to steal a machines identity. Proof of concept source code is available from www.networkpenetration.com.
Overview of the Dynamic Host Configuration Protocol
::::::::::::::::::::::::::::::::::::::::::::::::::-
DHCP is used to automatically configure machines with an IP address so that the hosts do not have to be statically assigned IP addresses. DHCP helps reduce administration as a central server issues IP addresses to network cards upon request. DHCP also helps combat the problem of a shortage of IP version 4 address as DHCP allows more machines than there are available IP addresses. Most ISPs that have dial up access use DHCP to set a modems IP address, as they assume that not every modem will be online at the same time.
Packet exchange for a clients interface to obtain an IP address
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-
For a clients network interface card (NIC) to be assigned an IP address various packets are sent from the NIC to the DHCP server. The packet exchange is as follows
1. The client sends a DHCP discover packet, indicating that a clients interface requires a IP address from a DHCP server. The clients interface may ask for its previous IP address from the server, this may cause problems with the man in the middle attack (explained later).
2. The server sends a DHCP offer packet, informing the client of what IP address is on offer. The IP address being offered may or may not be the one requested (if the interface asked for a specific IP address with the discover packet) depending on how busy the network is. If the network is busy then the IP address requested with the discover packet may have already been re-assigned to a different interface, thus a different IP address will be offered.
3. The client sends a DHCP request, informing the DHCP server that the clients NIC wishes to be assigned the IP address sent by the servers offer.
4. The server sends a DHCP ack, acknowledging that the NIC has sent a request for a specific IP address. At this point the clients interface assigns / binds the IP address from the DHCP servers offer packet in step two.
Once this sequence of packets occurs a client has been assigned an IP address and probably a default gateway and DNS server. Numerous options can be set by the DHCP server, for a full list consult the RFC documentation.
Denial of service attack
::::::::::::::::::::::::
By spoofing the clients packet exchange a DHCP server will happily give all the available leases to spoofed MAC address thus causing a denial of service. Any machine wishing to join the network after the attack would not be allocated an IP address as the whole of the DHCP range will have been either allocated to valid interfaces (ie. interfaces already joined to the network before the attack took place) or spoofed MAC addresses (from the attack). Any interface already joined to the network would not notice the effect of the attack as they have already been assigned an IP address, but interfaces without a IP address would not be able to join the network as the DHCP server will have no available IP addresses.
Some DHCP servers issue ARP requests or ICMP pings to detect for IP addresses that may be reclaimed by the server. This is done as operating systems / interfaces do not release there assigned IP address when shutdown. Basic testing of the denial of service code successfully defeat the ARP method of reclaiming IP addresses (ICMP method was not tested) as the number and speed of requests for IP addresses was significantly higher than the number of ARP requests issued by the DHCP server (when running multiple copies of the source code in a script). The source code could be extended to sniff for ARP requests / ICMP ping requests and reply accordingly thus defeating the servers method of reclaiming addresses.
A windows 2000 machine running DHCP with active directory, sends a packet at boot up to check that it is the only DHCP server on the network, if it is the only DHCP server then it is authorised and allowed to act as a DHCP server. Further investigation is required to see if this can be reversed to deny a win2k DHCP server from starting.
Rogue DHCP server
::::::::::::::::-
By setting up a rogue DHCP server, a hacker could create a veritable playground for him/her self. The DHCP protocol can aid a hacker to redirect traffic through their machine (man in the middle attack) or send users to false web pages (via a rogue DNS server). This could occur as a DHCP server can set various options such as what IP address to use for the default gateway and also what DNS servers to use.
Man in the middle attack
::::::::::::::::::::::::
By starting a rogue DHCP server, the real DHCP server and the rogue server will fight to assign a interface an IP address. If a rogue server wins then the interface could be assigned a different default gateway. By assigning a different default gateway (i.e. a hackers machine) all outgoing packets would be sent via the hackers machine thus sniffable. The machine acting as the default gateway would need to rewrite the MAC layer to enable the packets to be forwarded to the correct destination (ie the correct default gateway).
How the man in the middle attack works
::::::::::::::::::::::::::::::::::::::
The source code grabs an IP address from the DHCP server using the same method as the denial of service but instead of stealing all the IP addresses only one IP address is stolen. A rogue DHCP server is then started and listens for a client to send a discovery packet to the broadcast address. The rogue server and the valid server then both send a offer packet (the rogue server issues the IP address stolen at the start of the attack, this is to ensure that no IP address conflicts occur) and depending on which reaches the client first, determines which server the client uses. If the client uses the valid DHCP server then the man in the middle attack will fail.... If the client uses the rogue DHCP server the man in the middle attack will succeed.
A couple of problems with the man in the middle attack
::::::::::::::::::::::::::::::::::::::::::::::::::::::
One problem with the DHCP man in the middle attack is that it may not work on a small network. The attack may not work if the NIC's request for its old IP address is fulfilled. If the normal DHCP server can fulfil the request for the specified IP address, the NIC will be assigned the previous IP address and not the one from the rogue server. The only way a rogue server can assign IP addresses is if the requested IP address is not available on the normal DHCP server (i.e. The address has been re-allocated to another interface). The rogue server would not be able to fulfil the NIC's initial request as the rogue servers address range is based on stolen addresses from the normal DHCP server, and is unlikely to contain the IP address requested. If a rogue server issues a requested IP address to any NIC that wanted it, problems would occur on the network as multiple machines may have the same IP address.
Another problem with the attack is that it would only be a one way attack as the default gateway assigned by the rogue DHCP server is not the real default gateway. The fake gateway would need to sniff the packets and rewrite the MAC layer to enable the packets to be sent to the correct default gateway. The problem would occur with packets being sent from the correct default gateway back to the attacked machine as the packets would not pass through the rogue gateway, thus can not be sniffed. This basically means that all outgoing traffic can be sniffed and all incoming traffic can't.
A full man in the middle attack can be established using programs such as Dsniff and Ettercap which both utilise ARP poisoning to establish the man in the middle attack.
Exploiting DHCP to trick users into using a fake DNS server
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-
As mentioned above a DHCP server can tell a interface which DNS server to use, so by specifying a hackers machine running a fake DNS server could make getting usernames, passwords, credit card numbers relatively easily. The fake DNS server would point for example www.hotmail.com to the hackers IP address.... so as long as the hacker has a convincing copy of hotmail's front page the username and password could be easily stolen.
Stealing a machines identity
::::::::::::::::::::::::::::
Many servers that use DHCP get re-assigned the same IP address every time they request an IP address. A list of MAC addresses (maintained by the administrator) is used to re-assign the same IP address to a specific MAC address. By spoofing the MAC address of a specific machine and requesting the corresponding IP address a machines identity can be stolen. For this to occur the target machine needs to DoSed, and the packet exchange (to steal the identity) to take place before the machine is rebooted. If successful the target machines IP address will be given to the hacker and with a bit of ARP trickery (reply to ARP requests) that state should be maintained.
Man in the middle attack a machine on a small network (noisy method)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
1) Denial of service a machine on the network, try using jolt2.
2) Before the machine reboots, steal the IP address it was allocated so that it has to request a new address
3) Start a rogue DHCP server, and hope that it wins the fight to assign a clients IP address.
Recommendations
::::::::::::::-
Deploy switches (not hubs) and ensure that mac spoofing is not allowed on them.
Use the DHCP protocol monitor (snort IDS plug-in) to identify possible rogue servers.