DHCP Spoof

For an Intro to Networking and Computer I/O class, I worked on a project to explore penetration testing. Rather than setting up our own network in the real world, we decided to make this more repeatable by creating a virtual network with Mininet. My portion of the project focused on DHCP spoofing.

Senario: An evil host near the client in the network triest to respond to DHCP requests faster than the real DHCP server and point hosts to its own DNS server allowing it to point people to phishing sites.

Goal: prevent such an attack. Methods experimented with:

• Block all but the correct DHCP packets on switches with ebtables

• On the client use dhclient's anycast-mac option to only send the DHCP packets only to the real DHCP server

• Setup the network manually (not really a solution)

Running

On Arch Linux, install needed packages:

 sudo pacman -S busybox dhclient dnsmasq ettercap iptables ebtables python2-dnslib python2-ipy bridge-utils
 packer -S mininet

Make sure Mininet is functioning properly by verifying 0% packets dropped:

 sudo mn --switch lxbr --controller none --test pingall

Run DHCP Spoof:

 sudo python2 dhcp_spoof.py wlp2s0 0

If it ever exits without cleaning everything up, just run:

sudo mn -c

Note: If you use this on anything other than Arch Linux, you'll likely have to tweak the code.

Code

• Code based upon this example

• NAT code, modified to make it work on my system

• DNSChef used as the evil DNS server

References

• Provides insight into creating per-process mounts

• Relation between iptables and ebtables

• Where I first learned everything about networking and iptables

• How to use ebtables for MAC anti-spoofing rules

• Potential tool for alternate DHCP starving for a counter-attack

• Information about preventing MITM attacks