Spoofing Attacks – DHCP Server Spoofing

One of the Layer 2 attacks inside a LAN network that is very dangerous for information privacy and LAN integrity is spoofing attack.

This is special kind of attack where attacker can gain access to network traffic by spoofing responses that would be sent by a valid DHCP server. This attack is using a technique ARP spoofing, also called ARP cache poisoning or ARP poison routing (APR) that is a simple LAN attack technique. ARP spoofing will allow an attacker to intercept frames on a LAN, modify the traffic, stop the traffic or simply sniff all the traffic. This is possible because all the communication in LAN is now crossing attackers interface and this communication is vulnerable to packet sniffing.

But how is this done?

DHCP spoofing Client sending DHCP requestPicture 1 – Client sending DHCP request in order to receive IP configuration

In short words, Client PC is sending DHCP request on the network. This request is a broadcast and all host on the LAN will receive it. Only DHCP server knows what this request means and in the normal situation only the REAL DHCP server will reply to that request.

DHCP server is then replying to the Client with messages that will configure the host CLIENT PC with IP address, Subnet mask and Default Gateway.

When we have attacker PC in the network he will simulate DHCP server on his host PC. With this action he will be able to reply to DHCP request before the REAL DHCP server because it closer to the CLIENT host. It will configure the Client host with IP address of that subnet but it will also give to host false Default Gateway address and maybe even false DNS server address. DNS server address and Default Gateway address will both be IP address of Attacker computer. In this manner, he will point all the communication of the Client host to himself. Later he will make possible to forward the frames from Client host to real destinations in order to make communication of Client possible. Client will not know that his communication is always going across Attacker PC and that Attacker can easily sniff frames.

DHCP spoofing - false DHCP server configures Clients IP addressPicture 2 – DHCP spoofing – false DHCP server configures Clients IP address
As you see from picture, the DHCP spoofing device (attacker) is situated in the local area network, LAN. He has the possibility to reply to client DHCP requests before their request is been able to reach the real DHCP server. The legitimate server may also reply, but if the spoofing device is on the same segment as the client, its reply to the client will arrive first. The intruder DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server.
DHCP spoofing - All data going accross Attacker PCPicture 3 – DHCP spoofing – All data going accross Attacker PC to destination

In the case of a gateway, the clients then forward packets to the attacking device, which in turn, sends them to the desired destination. This is known as a man-in-the-middle attack, and it may be entirely undetected as the intruder intercepts the data flow through the network but is not stopping the network traffic.

Use ARP spoofing for something good? Yes!

ARP spoofing can also be used for good purposes. Very often we are being able to see wireless networks that are redirecting us to signup page when we want to access wireless LAN or internet access across this WiFi. So, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network. It is mostly used in apartments, hotels and other sorts of networks to control the access of mobile devices to the Internet and sometimes make users pay for the Internet across special signup page. For that propose they are redirected using ARP spoofing to a device known as a head end processor (HEP).

ARP spoofing ca be used to implement redundancy of network services. A backup server may use ARP spoofing to take over for a server that has crashed and transparently offer redundancy.

One Response

  1. Said Rahim August 9, 2015

Leave a Reply