DHCP Exhaustion Script: DHCPig


DHCP Exhaustion Script

     DHCPig initiates an advanced DHCP exhaustion attack. It will consume all IPs on the LAN, stop new users from obtaining IPs, release any IPs in use, then for good measure send gratuitous ARP and knock all windows hosts offline.

It requires scapy >=2.1 library and admin privileges to execute. No configuration necessary, just pass the interface as a parameter. It has been tested on multiple Linux distributions and multiple DHCP servers (ISC,Windows 2k3/2k8,..).



When executed the script will perform the following actions:

Grab your Neighbors IPs before they do
Listen for DHCP Requests from other clients if offer detected, respond with request for that offer.
Request all available IP addresses in Zone
Loop and Send DHCP Requests all from different hosts & MAC addresses
Find your Neighbors MAC & IP and release their IP from DHCP server
ARP for all neighbors on that LAN, then send DHCPReleases to server
Finally the script will then wait for DHCP exhaustion, (that is no received DHCP OFFERs for 10 seconds) and then

Knock all Windows systems offline
gratuitous ARP the LAN, and since no additional DHCP addresses are available these windows systems should stay offline. Linux systems will not give up IP even when another system on LAN is detected with same IP.


Protocol

IPv4
SEQUENCE
—-> DHCP_DISCOVER
<—- DHCP_OFFER
—-> DHCP_REQUEST
<—- DHCP_REPLY (ACK/NACK)
DHCPd snoop detection (DHCPd often checks if IP is in use)
Check for ARP_Snoops
Check for ICMP Snoops
IPv6
SEQUENCE
—-> DHCP6_SOLICIT
<—- DHCP6_ADVERTISE
—-> DHCP6_REQUEST
<—- DHCP6_REPLY
DHCPd snoop detection (DHCPd often checks if IP is in use)
Check for ICMPv6 Snoops


Usage

enhanced DHCP exhaustion attack plus.

Usage:
    pig.py [-h -v -6 -1 -s -f -t -a -i -o -l -x -y -z -g -r -n -c ] <interface>
 
Options:
    -h, --help                     <-- you are here :)
    -v, --verbosity                ...  0 ... no         (3)
                                        1 ... minimal
                                       10 ... default
                                       99 ... debug
                                     
    -6, --ipv6                     ... DHCPv6 (off, DHCPv4 by default)
    -1, --v6-rapid-commit          ... enable RapidCommit (2way ip assignment instead of 4way) (off)
   
    -s, --client-src               ... a list of client macs 00:11:22:33:44:55,00:11:22:33:44:56 (Default: <random>)
    -O, --request-options          ... option-codes to request e.g. 21,22,23 or 12,14-19,23 (Default: 0-80)
   
    -f, --fuzz                     ... randomly fuzz packets (off)

    -t, --threads                  ... number of sending threads (1)
   
    -a, --show-arp                 ... detect/print arp who_has (off)
    -i, --show-icmp                ... detect/print icmps requests (off)
    -o, --show-options             ... print lease infos (off)
    -l, --show-lease-confirm       ... detect/print dhcp replies (off)
   
    -g, --neighbors-attack-garp    ... knock off network segment using gratious arps (off)
    -r, --neighbors-attack-release ... release all neighbor ips (off)
    -n, --neighbors-scan-arp       ... arp neighbor scan (off)
   
    -x, --timeout-threads          ... thread spawn timer (0.4)
    -y, --timeout-dos              ... DOS timeout (8) (wait time to mass grat.arp)
    -z, --timeout-dhcprequest      ... dhcp request timeout (2)
   
    -c, --color                    ... enable color output (off)


Defense

Most common approach to defending DHCP exhaustion is via access layer switching or wireless controllers.

      In cisco switching simplest option is to enable DHCP snooping. Snooping will defend against pool exhaustion, IP hijacking, and DHCP sever spoofing all of which are used in DHCPig. Based on examined traffic, DHCP snooping will create a mapping table from IP to mac on each port. User access ports are then restricted to only the given IP. Any DHCP server messages originating from untrusted ports are filtered.

enable the following to defend against pool exhaustion, IP hijacking, and DHCP sever spoofing:

enable snoopingip dhcp snooping
specify which port your DHCP is associated with. Most likely this is your uplink. Doing the following will limit DHCP server responses to only the specified port, so use after testing in lab environment.int fa0/1 (or correct interface)ip dhcp snooping trust
show statusshow ip dhcp snoppingshow ip dhcp snopping binding
additional info: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/dhcp.pdf

Download

Comments

Post a Comment

Popular posts from this blog

[SEO ELITE] Find Unlimited Targets For GSA SER And Other Link Building Tools

Image
If you do this process for 30 minutes each day for 5 days you will end up with hundreds of thousands of new link targets. I’m talking about contextual, do-follow links too  ! Links bring traffic. Traffic brings sales. This guide describes how I make new link-lists for link building, as of February 2016. Here’s a tier two GSA-SER project I ran and the scraped target list is the result of a Footprint Factory analysis: I have just over 67,000 verified links from 22,000 unique domains. The reason this is so exciting is because the raw scrape list I’m running only had about 830,000 URLs in it. That means that about over 8% of the URLs I scraped during the making of this tutorial gave me verified back links. To put that in perspective, a lot of people only get about 1-2% with a raw list. So 8% is pretty amazing. That cuts your working time down by 75%, and it also means you only have to do this process a few times to build a very large database of powerful links you can use to rank your site
Read more

[CRACKED] VIP72 Socks Cracked by AnonX

Image
How to use: 1. Download and extract the zip file "VIP72 Socks [CRACKED].zip" 2. Edit hosts, Path: C:\Windows\System32\drivers\etc\hosts (Open the file and add these lines below and press save.) 127.0.0.1 vip72.com 127.0.0.1 .www.vip72.com 127.0.0.1 vip72.asia 127.0.0.1 .www.vip72.asia 3. Open vip72socks.exe "Run as administrator" OR Open vip72socksRU.exe "Run as administrator" 4. Open ProxifierPE and Enjoy! Login Info. Login User: NULL Login Password: NULL Download
Read more