| Name |
DHCP Spoofing |
|
| Likelyhood of attack |
Typical severity |
| Low |
High |
|
| Summary |
An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP. |
| Prerequisites |
The adversary must have access to a machine within the target LAN which can send DHCP offers to the target. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN. |
- Adversary observes LAN traffic for DHCP solicitations
|
| 2 |
Experiment |
[Capture the DHCP DISCOVER message] The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages. |
- Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.
|
| 3 |
Exploit |
[Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself. |
- Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.
|
|
| Solutions | Design: MAC-Forced Forwarding Implementation: Port Security and DHCP snooping Implementation: Network-based Intrusion Detection Systems |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-923 |
Improper Restriction of Communication Channel to Intended Endpoints |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-94 |
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components. |
| CAPEC-158 |
In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information. |
| CAPEC-194 |
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1557.003 |
Adversary-in-the-Middle: DHCP Spoofing |
|