Comments on: R00Ting Public WiFi Networks: DHCP Name Poisoning Attacks

By: Ben

Ben — Wed, 06 Feb 2008 15:28:03 +0000

What is the usage of the 2nd script?

python test.py DHCPspoof (then what?)

Thanks

By: pdp

pdp — Wed, 30 Jan 2008 07:55:10 +0000

bb, Jason’s script is nice and simple but I cannot make it work on windows with scapy. Hmmm…

Shoaib, yes of course, and I doubt that you will see these kind of stuff in some massive attack outbreaks. Though, it is a technique to keep in mind when you do pentest/security audit.

By: Shoaib Yousuf

Shoaib Yousuf — Wed, 30 Jan 2008 04:37:18 +0000

pdp,

Very good and interesting post. Excellent researched and well explained.

I don’t think so we will see this type of attack vectors in wild for quite some time.

But you never know. Definitely by knowing this we are ahead of bad guys though.

Cheers
Shoaib

By: bb

bb — Wed, 30 Jan 2008 02:46:08 +0000

No success with the first script.

I guess that i’m meant to use scapy :P It was presented to me a couple of months ago because of a work for college and since then it appeared to me as a very useful tool on a situation or another.

Anyway, tks Jason, it works fine to me.

By: pdp

pdp — Tue, 29 Jan 2008 17:10:52 +0000

Jason, this is awesome. Wasn’t aware that scapy supports BOOTP. Ok, ok, I will test your version to see how it works. 10x.

By: Jason Macpherson

Jason Macpherson — Tue, 29 Jan 2008 17:00:01 +0000

I'm also getting error 61. Tried many different mac address formats with no success. "addOptionValue: unknown format for code (61) at t.pl line 15" So I coded up my own version of your tool using Scapy.

#!/usr/bin/env python

from scapy import *

def usage():
   print "Usage: DHCPspoof  <ip> <name>"
   sys.exit(1)

if len(sys.argv) != 3:
   usage()

requested_ip = sys.argv[1]
requested_name = sys.argv[2]

interface = conf.route.route(requested_ip)[0]
localmac = get_if_hwaddr(interface)
localip = get_if_addr(interface)

print("Sending DHCPREQUEST")

ether = Ether(src="00:00:00:00:00:00", dst="ff:ff:ff:ff:ff:ff")
ip = IP(src="0.0.0.0", dst="255.255.255.255")
udp = UDP(sport=68, dport=67)
bootp = BOOTP(chaddr=localmac, xid=0x11033000)
dhcpOptions = DHCP(options=[('message-type', 'request'), ('hostname', requested_name), ('requested_addr', requested_ip), ('end')])

packet = ether/ip/udp/bootp/dhcpOptions
sendp(packet)



By: pdp
pdp — Tue, 29 Jan 2008 07:53:13 +0000
bb, it is not an error. It is a warning. You can happily ignore it or you can patch the DHO_DHCP_CLIENT_IDENTIFIER variable at the top of the t.pl script.



By: bb
bb — Mon, 28 Jan 2008 21:49:06 +0000
Same error code to me (61), even using the MAC address format without dashes and semicolons.
I’m using Net::DHCP 0.66v.



By: Inking’s Blog » DHCP/mDNS Injection Issues
Inking’s Blog » DHCP/mDNS Injection Issues — Sun, 27 Jan 2008 10:18:01 +0000
[...] the previous post Iâ€™ve talked about how someone can poison local name servers (nasty things like registering a [...]



By: DHCP/mDNS Injection Issues | GNUCITIZEN
DHCP/mDNS Injection Issues | GNUCITIZEN — Sun, 27 Jan 2008 09:30:15 +0000
[...] Injection Issues published: January 27th, 2008 In the previous post I’ve talked about how someone can poison local name servers (nasty things like [...]



By: pdp
pdp — Sat, 26 Jan 2008 20:40:20 +0000
DHO_DHCP_CLIENT_IDENTIFIER is a bug in the Net::DHCP library. The MAC address format is without dashes and semicolons: 0123456789ab



By: ikkuhqhp
ikkuhqhp — Sat, 26 Jan 2008 20:35:57 +0000
How is the tool used? It complains code 61 (=DHO_DHCP_CLIENT_IDENTIFIER) Neither of 01:23:45:67:89:ab and 01-23-45-67-89-ab work.



By: RobotSkirts » Blog Archive » R00Ting Public WiFi Networks: DHCP Name Poisoning Attacks
Sat, 26 Jan 2008 00:48:14 +0000
[...] R00Ting Public WiFi Networks: DHCP Name Poisoning Attacks Register any short name you want as yourself. [...]



By: pdp
pdp — Fri, 25 Jan 2008 18:43:31 +0000
this assumption is based entirely on my personal experience. but it sort of observed on setups where a single box handles the DHCP and the DNS traffic. This kind of setup is very typical for various devices most of which are in fact WiFi routers. This is the reason why I mentioned WiFi, exclusively, in the title of this post.



By: dude
dude — Fri, 25 Jan 2008 18:38:07 +0000
“Many networks/routers will happily take that name and use it as part of their DNS service,”
I’m not so sure that this assumption is as widespread as it may seem.  Do yo have any data or perhaps just sample data points from your personal experience with this?



By: pdp
pdp — Fri, 25 Jan 2008 14:27:27 +0000
Wladimir, yes. You are right. However, I believe that this type of attack is less severe. Here is why:


You have to host your own DHCP server which means that you need to dedicate your own resources.
You need to respond quicker which is not usually a problem but still...
You need to host your own DNS which again is a problem.
You will affect only clients that renew/release their IPs. Although, I think you might be able to force the client to change their IP in some conditions.


The DHCP Name Poisoning Attack is a lot stealthier. Once the domain is cached it will stay there for usually 5 days, depending how the attacked DHCP and DNS services are configured. Sometimes you can map names to external IP ranges. You don't need dedicated DHCP server for that. You don't have to host your own DNS. You don't have to be quicker. And you don't have to wait.

All the attackers need to do, is to poison the DHCP/DNS services. This can be achieved with a single UDP packet as described above.


By: Wladimir Palant
Wladimir Palant — Fri, 25 Jan 2008 14:18:56 +0000
While that approach is interesting of course, the attacker is way more likely to send a fake DHCP response - that will allow him to specify his own DNS server. If he manages to respond faster than the real DHCP server, he will take control of all the name resolution and not just one name. That’s a common problem on networks, people installing Linux that comes pre-configured with a DHCP server service - they manage to take down the network (or at least some machines) without even noticing.



By: pdp
pdp — Fri, 25 Jan 2008 14:16:12 +0000
Arthur, precisely! The only difference here is that the attacker does not have to do anything fancy like poisoning the cache of a DNS server or messing with installing a secondary DHCP on a local network which will only work for clients that renew/release their IP addresses.

The attack will work flawlessly by simply registering the wpad domain.


By: Arthur
Arthur — Fri, 25 Jan 2008 14:10:15 +0000
This is pretty similar to the idea of dns posioning or wins poisioning leading to fun with names such as wpad.
http://www.robertjbrown.com/20.....etect.html