Another effective attack that is possible once an attacker and victim share the same wireless network is the deployment of a rogue DHCP server to service clients. The attacker will attempt to get their targets to acquire an address from them rather than the legitimate DHCP server on the network. DHCP, or Dynamic Host Configuration Protocol, is a popular method to hand out IP addresses from a pool of addresses to clients that connect to the network. It eliminates the need to statically configure IP addresses on all clients where it is impractical, such as client segments where clients come on and go off the network frequently, or impossible, such as public hotspots or other guest wireless scenarios.
DHCP works in a broadcast, response fashion where a client connecting to a network sends a request for an IP address via DHCPDISCOVER and DHCPREQUEST and the DHCP server will respond with the addressing information via DHCPOFFER and DHCPACK (or acknowledgement). This process is not authenticated nor encrypted between the client and the server and since it initiated in a broadcast fashion, all clients connected to the same network will be able to hear this initial request for an IP address.
This is where our attacker comes in. DHCP typically assigns several attributes to the connecting client, such as IP address, default gateway, and DNS servers. Occasionally, DHCP will also assign WINS servers, NTP servers, or even the location of where a connecting client should pull their boot image or configuration file down from. This makes DHCP a service that can be critical for an attacker looking to initiate a man-in-the-middle attack. If you control DHCP, you can assign connecting clients a fake default gateway, such as your own address or DNS servers that you control or that host malicious software.
When a new client comes on the network and requests attributes from DHCP, it will only respond to the first DHCP server that it receives a response from, hence causing a race condition between the attacker and the legitimate DHCP server that is on the network. However, if this attack is preceded by a DHCP starvation attack on the legitimate DHCP server, it may be out of IP addresses to hand out and will not be able to send a response to the connecting client, increasing the effectiveness of your rogue DHCP server attack.
For this example, we will return to Kali and the Ettercap application that was installed in the previous ARP poisoning example. Follow the following steps:
- Launch Ettercap in the graphical format using:
#ettercap –G - Choose Sniff | Unified Sniffing… as seen in the following screenshot:
- From the menu, choose Mitm | DHCP Spoofing…
The following dialog box appears where we will populate the information that will be served up to clients pulling network information from our DHCP server:
This information will be unique to your wireless network and will require a little reconnaissance to determine what each value should be. For this example, the provided information is described as follows:
- IP Pool: This field is looking for a range of IP addresses that will be used to hand out to connecting clients. The pool of IP addresses should have the IP network in dot-decimal notation and the last octet should have the hosts to assign starting with the first host followed by a dash and the final host. In the preceding example,
192.168.0.50will be the first host assigned and192.168.0.55the last. This value is noted as optional and if no pool is defined, it will get an address from the legitimate DHCP server on the network. Since address assignment is only accepted by the first DHCP server that responds, it is recommended that you define a pool of IP addresses. - Netmask: The network mask can be determined by the Mask attribute if you do an
ifconfigon your Kali host. This is also entered into Ettercap in dot-decimal notation. The preceding example is aClass-C255.255.255.0mask or /24 in CIDR notation. - DNS Server: This can either be the legitimate DNS server that is assigned to clients through DHCP, or you can put a rogue DNS server in this field. Further attacks on DNS will be discussed later in this chapter. For this example, we will use the DNS server assigned from the wireless router's DHCP server.
- IP Pool: This field is looking for a range of IP addresses that will be used to hand out to connecting clients. The pool of IP addresses should have the IP network in dot-decimal notation and the last octet should have the hosts to assign starting with the first host followed by a dash and the final host. In the preceding example,
- After you click OK, Ettercap will start the rogue DHCP server on your host and the output will be displayed in the status box.
Ettercap will then listen for DHCP messages from clients who are attempting to obtain an IP address from the DHCP server. When it receives one of these requests, it will respond with DHCPOFFER containing an IP address from the defined pool, the DNS servers specified by the attacker, and replaces the default gateway with the attacker's IP address. If the offer is accepted, the client will send all traffic destined for the default gateway, and in turn the Internet traffic, through the attacker's computer. The default gateway will forward traffic destined for the victim directly back to the victim, but this does allow the attacker to get into the outbound flow of traffic from the victim.
With the default gateway on the victim set to the attacker and Ettercap set up to capture traffic that is then forwarded to the gateway, sensitive information can be gathered through the Unified Sniffing capabilities.
The preceding graphic shows the DHCP request from the client and Ettercap sending the fake acknowledgement with the hope that it wins the race condition and the client will accept its DHCP offer, thus providing the client with the bogus default gateway and DNS information.