The Hacker Recipes
GitHubTwitterDonate
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
ARP poisoning
DNS spoofing
DHCP poisoning
DHCPv6 spoofing
WSUS spoofing
LLMNR, NBT-NS, mDNS spoofing
ADIDNS poisoning
WPAD spoofing
MS-EFSR abuse (PetitPotam)
MS-RPRN abuse (PrinterBug)
MS-FSRVP abuse (ShadowCoerce)
PushSubscription abuse
WebClient abuse (WebDAV)
🛠️ NBT Name Overwrite
🛠️ ICMP Redirect
🛠️ Living off the land
NTLM
Kerberos
Access controls
Group policies
Built-in groups
Domain settings
🛠️ Trusts
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
DHCP poisoning

Theory

When a workstation reboots or plugs into a network, a broadcast DHCP request is emitted. It's goal is to ask for network settings like an IPv4 address.
Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution. (Laurent Gaffié)
DHCP's option 252 provides Windows machines with a WPAD configuration. An attacker able to answer broadcast DHCP queries faster than the legit DHCP server can inject any network setting on the requesting client.

Practice

Responder (Python) can be used to operate DHCP poisoning in the following manner
  • race against the legit DHCP server to answer DHCP REQUEST messages
  • sent a DHCP ACK response with a rogue WPAD server address in option 252 in the network parameters, with a short lease (10 seconds). Responder can also be used to attempt at injecting a DNS server instead.
  • wait the lease to expire so that the poisoned client asks for a new lease
  • let the client obtain a legitimate lease from the real DHCP server, allowing the client to obtain the right network settings and have connectivity
  • the injected WPAD server address will stay until the client reboots. If the injected field was a DNS server, it will be overwritten with the new legit DHCP lease.
  • with the injected WPAD server address, the Windows client will try to obtain the wpad.dat file on the rogue WPAD. Responder will then require the client to authenticate.
The attack can be started with the -d/--DHCP (WPAD injection) argument. By default, a rogue WPAD server will be injected in the configuration. If the additional-D/--DHCP-DNS argument is set, a rogue DNS server address will be injected in the configuration instead of a WPAD.
Additional arguments and options should be used when doing DHCP poisoning with the -d/--DHCP argument. Those options can also be used along -D/--DHCP-DNS since the WPAD DNS entry will be one of the first queries by the poisoned machine.
  • The -w/--wpad option to start the WPAD rogue server so that fake wpad.dat file can be served to requesting clients (i.e. WPAD spoofing)
  • The -P/--ProxyAuth option to force the Windows client to authenticate after the wpad.dat is accessed and when the client starts using the proxy
1
# DNS injection
2
responder --interface "eth0" --DHCP --DHCP-DNS --wpad --ProxyAuth
3
responder -I "eth0" -wPdD
4
5
# WPAD injection
6
responder --interface "eth0" --DHCP --wpad --ProxyAuth
7
responder -I "eth0" -wPd
Copied!
The proxy auth NTLM authentication can either be
  • forced and captured with Responder with the command line above (with --wredir and --ProxyAuth)
  • or forced and relayed with ntlmrelayx (by using the --http-port 3128 argument
1
responder --interface "eth0" --DHCP --DHCP-DNS --wpad
2
ntlmrelayx -t $target --http-port 3128
Copied!

Resources

Responder's DHCP Poisoner
Previous
DNS spoofing
Next
DHCPv6 spoofing
Last modified 1mo ago
Copy link
Edit on GitHub
Contents
Theory
Practice
Resources