https://charlesreid1.com/w/index.php?action=history&feed=atom&title=MITM%2FRogue_DHCPMITM/Rogue DHCP - Revision history2026-06-20T16:11:08ZRevision history for this page on the wikiMediaWiki 1.39.12https://charlesreid1.com/w/index.php?title=MITM/Rogue_DHCP&diff=30695&oldid=prevAdmin at 03:25, 20 June 20262026-06-20T03:25:29Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 03:25, 20 June 2026</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l28">Line 28:</td>
<td colspan="2" class="diff-lineno">Line 28:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* maintain connection to trusted DHCP</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* maintain connection to trusted DHCP</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* identification of new DHCP servers</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* identification of new DHCP servers</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">=Flags=</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{MITMFlag}}</ins></div></td></tr>
</table>Adminhttps://charlesreid1.com/w/index.php?title=MITM/Rogue_DHCP&diff=30694&oldid=prevAdmin: Created page with "A rogue DHCP server attack involves an attacker setting up their own DHCP server and responding to DHCP requests before the local DHCP server, thus controlling the DHCP process. Abused handshake procedure: * Client to DHCP server: DHCP discover (broadcast) <--- this step is same as before * Rogue DHCP server to Client: DHCP offer (unicast) <--- rogue DHCP server responds first * Client to Rogue DHCP server: DHCP request (broadcast) * Rogue DHCP server to Client: DHCP ac..."2026-06-20T03:25:19Z<p>Created page with "A rogue DHCP server attack involves an attacker setting up their own DHCP server and responding to DHCP requests before the local DHCP server, thus controlling the DHCP process. Abused handshake procedure: * Client to DHCP server: DHCP discover (broadcast) <--- this step is same as before * Rogue DHCP server to Client: DHCP offer (unicast) <--- rogue DHCP server responds first * Client to Rogue DHCP server: DHCP request (broadcast) * Rogue DHCP server to Client: DHCP ac..."</p>
<p><b>New page</b></p><div>A rogue DHCP server attack involves an attacker setting up their own DHCP server and responding to DHCP requests before the local DHCP server, thus controlling the DHCP process.<br />
<br />
Abused handshake procedure:<br />
* Client to DHCP server: DHCP discover (broadcast) <--- this step is same as before<br />
* Rogue DHCP server to Client: DHCP offer (unicast) <--- rogue DHCP server responds first<br />
* Client to Rogue DHCP server: DHCP request (broadcast)<br />
* Rogue DHCP server to Client: DHCP ack (unicast)<br />
<br />
Why is this useful?<br />
<br />
This type of attack gives you total control over the network configuration of a sheep. This makes it easy to do what you'd like - sniff traffic, tamper with traffic, or create a denial of service. As an example, suppose a sheep and a rogue DHCP are on the same network, 192.168.10.X. The sheep sends out a DHCP request packet, broadcast to all ports. The rogue DHCP responds. The DHCP request is sent from the sheep, and the rogue DHCP server responds with an acknowledgement and assigns the following network configuration:<br />
<br />
<pre><br />
IP Address: 10.10.10.101<br />
Subnet Mask: 255.255.255.0<br />
Default Routers: 10.10.10.1<br />
DNS Servers: 192.168.10.4, 192.168.10.5<br />
Lease Time: 10 day<br />
</pre><br />
<br />
What's wrong with this picture?<br />
* First, the IP address and default routers are a different set of IP addresses than the rest of the network. This means the attacker is performing a denial of service on the entire IP layer.<br />
* The attacker is the gateway, meaning all network traffic to and from the client passes through the attacker.<br />
* The attacker is the DNS server, meaning they can monitor and/or tamper with DNS requests from the client, and redirect them to, e.g., fake versions of various websites.<br />
<br />
Countermeasures: <br />
* DHCP snooping<br />
* maintain connection to trusted DHCP<br />
* identification of new DHCP servers</div>Admin