Dark Mode
Capec-697 Detail
DHCP Spoofing
Standard Social Engineering Software Hardware Likelihood: Low Typical Severity: High
Parents: 194
An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.
DHCP is broadcast to the entire Local Area Network (LAN) and does not have any form of authentication by default. Therefore, it is susceptible to spoofing. An adversary with access to the target LAN can receive DHCP messages; obtaining the topology information required to potentially manipulate other hosts' network configurations. To improve the likelihood of the DHCP request being serviced by the Rogue server, an adversary can first starve the DHCP pool.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-697 | capec | https://capec.mitre.org/data/definitions/697.html | |
| CWE-923 | cwe | http://cwe.mitre.org/data/definitions/923.html | |
| T1557.003 | ATTACK | https://attack.mitre.org/wiki/Technique/T1557/003 | Adversary-in-the-Middle: DHCP Spoofing |
| REF-737 | reference_from_CAPEC | https://pentera.io/blog/dhcp-spoofing-101 | Yuval Lazar, DHCP Spoofing 101, 2021--11---03, Pentera |
| REF-738 | reference_from_CAPEC | https://www.rfc-editor.org/rfc/rfc4562.html | T. Melsen, S. Blake, Ericsson, DHCP Spoofing 101, 2006--06, The Internet Society |
| REF-739 | reference_from_CAPEC | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dhcp-client-remote-code-execution-vulnerability-demystified/ | Bosco Sebastian, DHCP Spoofing 101, 2019--08---02, McAfee |
Explore
-
Determine Exsisting DHCP lease: An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.
| Techniques |
|---|
| Adversary observes LAN traffic for DHCP solicitations |
Experiment
-
Capture the DHCP DISCOVER message: The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages.
| Techniques |
|---|
| Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet. |
Exploit
-
Compromise Network Access and Collect Network Activity: An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.
| Techniques |
|---|
| Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server. |
- The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.
- The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.
| Medium |
|---|
| The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results. |
| Integrity | Availability | Access Control | Confidentiality |
|---|---|---|---|
| Modify Data | Resource Consumption | Modify Data | Read Data |
| Execute Unauthorized Commands | Execute Unauthorized Commands |
- In early 2019, Microsoft patched a critical vulnerability (CVE-2019-0547) in the Windows DHCP client which allowed remote code execution via crafted DHCP OFFER packets. [REF-739]