Elliot is a savvy techie that works at Price Wright
Corporation. This morning, his routine seemed all too normal. He arrived at
work at 9am sharp, filled his mug with coffee and started to chat with his
colleagues. As he chatted away, the back of his mind was running with a
technical sequence he planned to execute.
In Elliot’s backpack, he brought a specifically configured Raspberry
PI that would do his bidding. The fifth floor of Price Wright Corporation was
under construction. No one was on this floor. This is where he would find a
port to plug in the router. He sneaks away from the conversation he was having,
and proceeds to execute his plan.
At his cubicle, he remotely checks to see if his plan
worked. The Raspberry PI should have already ran the necessary configurations.
1.
DHCP Starvation Attack – Kali is running on the
Raspberry PI. A script on this OS would begin the process to flood Price Wright
Corporation’s DHCP server with fake DHCP requests. The DHCP server would no
longer be able to hand out IP addresses at this point.
2.
Rouge DHCP Server – Then the Kali box would
supplant the DHCP server. All devices would then be requesting IP address
information from Kali. That includes the DNS Server, and default gateway
information.
3.
Man in the Middle – End clients would have their
traffic rerouted because, IP addressing is owned. Traffic would be forwarded to
a MITM Server as a proxy to the internet. All traffic would then be visible to
Elliot. The network would be considered owned.
When Elliot logs into the remote server traffic is to be
forwarded to, he finds no forwarded traffic. After troubleshooting, he finds
out the Kali Box was denied of the DHCP server status.
In this scenario, the DHCP Starvation attack is thwarted by
a concept called DHCP Snooping. When DHCP snooping is applied, switch ports are
able to restrict the type of DHCP data that is forwarded to it.
DHCP negotiation is remembered by the acronym DORA –
Discover, Request, Offer, and Acknowledgement. Discover and request traffic are
made by machines requesting for IP address information, while the offer and
acknowledgement traffic are DHCP server traffic. The DHCP server traffic should
only come from the appropriate DHCP server. DHCP snooping restricts ports that
should not have DHCP server traffic running through it. This was the case for
Price Wright Corporation.
DHCP snooping was enabled for Price Wright Corporation which
restricted the Kali Box from acting as the DHCP server. Their environment only
allowed DHCP server traffic coming from the access port of the main DHCP
server, the trunk link to the switch of the fault tolerant server, and the
access port of the fault tolerant DHCP server.
Although there are malicious reasons rogue DHCP servers
enter the environment, it is also very likely an accident by an employer.
Sometimes employees bring in a router to have more accessible ports, and when
it’s plugged into the company network, the router acts as a DHCP server. The
intent isn’t malicious if done by accident. It was an unknowing mistake.
Routers by default become a DHCP server when plugged into a network. If
computers decide to use this DHCP server, they won’t be able to talk to the
network. The accident would cause a denial of service, DoS.
No comments:
Post a Comment