A rogue DHCP server attack involves an attacker setting up their own DHCP server and responding to DHCP requests before the local DHCP server, thus controlling the DHCP process.

Abused handshake procedure:

• Client to DHCP server: DHCP discover (broadcast) <--- this step is same as before
• Rogue DHCP server to Client: DHCP offer (unicast) <--- rogue DHCP server responds first
• Client to Rogue DHCP server: DHCP request (broadcast)
• Rogue DHCP server to Client: DHCP ack (unicast)

Why is this useful?

This type of attack gives you total control over the network configuration of a sheep. This makes it easy to do what you'd like - sniff traffic, tamper with traffic, or create a denial of service. As an example, suppose a sheep and a rogue DHCP are on the same network, 192.168.10.X. The sheep sends out a DHCP request packet, broadcast to all ports. The rogue DHCP responds. The DHCP request is sent from the sheep, and the rogue DHCP server responds with an acknowledgement and assigns the following network configuration:

IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5
Lease Time: 10 day

What's wrong with this picture?

• First, the IP address and default routers are a different set of IP addresses than the rest of the network. This means the attacker is performing a denial of service on the entire IP layer.
• The attacker is the gateway, meaning all network traffic to and from the client passes through the attacker.
• The attacker is the DNS server, meaning they can monitor and/or tamper with DNS requests from the client, and redirect them to, e.g., fake versions of various websites.

Countermeasures:

• DHCP snooping
• maintain connection to trusted DHCP
• identification of new DHCP servers

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e