1. Home
  2. Techniques
  3. Enterprise
  4. Adversary-in-the-Middle
  5. DHCP Spoofing

Adversary-in-the-Middle: DHCP Spoofing

ID Name
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
T1557.002 ARP Cache Poisoning
T1557.003 DHCP Spoofing

Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.

DHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.[1] The typical server-client interaction is as follows:

  1. The client broadcasts a DISCOVER message.

  2. The server responds with an OFFER message, which includes an available network address.

  3. The client broadcasts a REQUEST message, which includes the network address offered.

  4. The server acknowledges with an ACK message and the client receives the network configuration parameters.

Adversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.[2][3] Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.

Rather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e. Service Exhaustion Flood) by generating many broadcast DISCOVER messages to exhaust a network’s DHCP allocation pool.

ID: T1557.003
Sub-technique of:  T1557
Platforms: Linux, Windows, macOS
Contributors: Alex Spivakovsky, Pentera
Version: 1.0
Created: 24 March 2022
Last Modified: 18 April 2022

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Consider filtering DHCP traffic on ports 67 and 68 to/from unknown or untrusted DHCP servers. Furthermore, consider enabling DHCP snooping on layer 2 switches as it will prevent DHCP spoofing attacks and starvation attacks. Additionally, port security may also be enabled on layer switches. Consider tracking available IP addresses through a script or a tool.
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.[4]

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow

Monitor network traffic for suspicious/malicious behavior involving DHCP, such as changes in DNS and/or gateway parameters. Additionally, monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which specify that the IP allocations are low or have run out; these EIDs may indicate a denial of service attack.[4][5]

References

  1. Droms, R. (1997, March). Dynamic Host Configuration Protocol. Retrieved March 9, 2022.
  2. Irwin, Ullrich, J. (2009, March 16). new rogue-DHCP server malware. Retrieved January 14, 2022.
  3. Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January 14, 2022.
  1. Microsoft. (2006, August 31). DHCP Server Operational Events. Retrieved March 7, 2022.
  2. Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved March 7, 2022.