CAPEC-697

DHCP Spoofing
Bas
Haute
Stable
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Gestion des notifications

Descriptions du CAPEC

An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.

Informations du CAPEC

Flux d'exécution

1) Explore

[Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.

Technique
  • Adversary observes LAN traffic for DHCP solicitations
2) Experiment

[Capture the DHCP DISCOVER message] The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages.

Technique
  • Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.
3) Exploit

[Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.

Technique
  • Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.

Conditions préalables

The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.

Compétences requises

The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results.

Ressources nécessaires

The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.

Atténuations

Design: MAC-Forced Forwarding
Implementation: Port Security and DHCP snooping
Implementation: Network-based Intrusion Detection Systems

Faiblesses connexes

CWE-ID Nom de la faiblesse

CWE-923

 Improper Restriction of Communication Channel to Intended Endpoints
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Références

REF-737

DHCP Spoofing 101
Yuval Lazar.
https://pentera.io/blog/dhcp-spoofing-101

REF-738

DHCP Spoofing 101
T. Melsen, S. Blake, Ericsson.
https://www.rfc-editor.org/rfc/rfc4562.html

REF-739

DHCP Spoofing 101
Bosco Sebastian.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dhcp-client-remote-code-execution-vulnerability-demystified/

Soumission

Nom Organisation Date Date de publication
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.