1 00:00:00,320 --> 00:00:05,270 So let's have a look to see how a Dhcp mechanism works in detail. 2 00:00:06,980 --> 00:00:13,190 Once a device is turned on and connected to a network that has a Dhcp server, it will send a request 3 00:00:13,190 --> 00:00:16,670 to the server called a Dhcp discover request. 4 00:00:17,750 --> 00:00:24,260 After the Discover packet reaches the Dhcp server, the server attempts to hold on to an IP address 5 00:00:24,260 --> 00:00:30,710 that the device can use and then offers a client the address with a Dhcp offer packet. 6 00:00:31,730 --> 00:00:37,910 Once the offer has been made for the chosen IP address, the device responds to the Dhcp server with 7 00:00:37,910 --> 00:00:40,640 a Dhcp request packet to accept it. 8 00:00:41,320 --> 00:00:48,190 After which the server sends an Ack packet that's used to confirm that the device has that specific 9 00:00:48,190 --> 00:00:54,670 IP address and to define the amount of time that the device can use the address before getting a new 10 00:00:54,670 --> 00:00:55,060 one. 11 00:00:55,690 --> 00:01:01,300 If the server decides a device cannot have the IP address, it will send a Nak. 12 00:01:02,900 --> 00:01:06,200 Let's see the Dhcp server mechanism in Wireshark. 13 00:01:08,140 --> 00:01:12,640 So Wireshark is already embedded into Kali and it's ready to use. 14 00:01:12,670 --> 00:01:17,770 In addition, I'd also like to show you how to download and install it in a Windows system. 15 00:01:17,980 --> 00:01:21,190 So right now I'm in a Windows 8 system. 16 00:01:21,670 --> 00:01:28,270 Open the internet browser and search for Wireshark for Windows using those as the keywords. 17 00:01:28,510 --> 00:01:31,710 The first link is the download page of Wireshark. 18 00:01:31,930 --> 00:01:32,440 Org. 19 00:01:32,680 --> 00:01:33,760 So let's click it. 20 00:01:34,710 --> 00:01:40,710 My windows is 64 bit, so I'll download the 64 bit, which is the latest stable version. 21 00:01:40,860 --> 00:01:43,410 Click it and save the installer. 22 00:01:43,740 --> 00:01:47,440 Now it takes less than a minute unless your connection is a mess. 23 00:01:47,460 --> 00:01:49,080 You might want to look into that. 24 00:01:49,650 --> 00:01:50,600 Just kidding. 25 00:01:53,460 --> 00:01:54,810 Click to run it. 26 00:01:58,840 --> 00:02:00,370 The setup Wizard opens. 27 00:02:00,910 --> 00:02:01,600 Okay. 28 00:02:01,600 --> 00:02:03,280 So simply it's a next. 29 00:02:03,310 --> 00:02:03,610 Next. 30 00:02:03,640 --> 00:02:03,910 Next. 31 00:02:03,910 --> 00:02:05,410 Finish installation. 32 00:02:05,410 --> 00:02:07,020 No need to change anything. 33 00:02:07,030 --> 00:02:09,370 Wait until the installation finishes. 34 00:02:19,450 --> 00:02:23,860 Okay, so check this to run Wireshark now and click Finish. 35 00:02:24,580 --> 00:02:27,700 And welcome to the Wireshark and Windows interface. 36 00:02:30,790 --> 00:02:35,950 So now I will show you the Dhcp mechanism in Wireshark. 37 00:02:38,590 --> 00:02:44,920 So let's run Wireshark and you can see that it's listing the packets received by Eth0. 38 00:02:46,100 --> 00:02:49,940 So to demonstrate the Dhcp mechanism. 39 00:02:50,560 --> 00:02:55,180 We need to ask for an IP address over at the Dhcp server. 40 00:02:56,790 --> 00:03:03,900 From the bottom right corner, right click to the network icon and select Open Network and Sharing Center. 41 00:03:04,680 --> 00:03:07,710 Click Ethernet zero and then properties. 42 00:03:08,100 --> 00:03:12,780 You'll have to scroll down a little bit and double click IP version four. 43 00:03:13,450 --> 00:03:18,040 And as you see here, the IP address is manually set for my Windows 8. 44 00:03:18,310 --> 00:03:25,690 So to start a Dhcp request, I'll choose obtain an IP address and DNS server address automatically. 45 00:03:25,900 --> 00:03:27,550 Those are my options. 46 00:03:28,090 --> 00:03:33,910 Now, before I click okay, I'll go to Wireshark and restart capturing by clicking the green button 47 00:03:33,940 --> 00:03:34,870 on the toolbar. 48 00:03:35,690 --> 00:03:38,840 So now Wireshark windows will be cleaned. 49 00:03:39,260 --> 00:03:40,790 Continue without saving. 50 00:03:41,120 --> 00:03:44,480 So now go to the network status window and click Okay. 51 00:03:44,600 --> 00:03:47,270 And we can close all the networking windows. 52 00:03:48,330 --> 00:03:50,470 So Wireshark captured the packets. 53 00:03:50,490 --> 00:03:56,640 Well, it's still capturing, but let's go to the top of the list to find the Dhcp packets. 54 00:03:57,390 --> 00:03:58,920 So here are the Dhcp. 55 00:03:58,920 --> 00:04:01,770 Discover packet is right here at the top of the list. 56 00:04:02,100 --> 00:04:09,720 When we look at the ports in the UDP header, we see that the port 68 is used to send Dhcp discover 57 00:04:09,720 --> 00:04:10,470 packets. 58 00:04:10,620 --> 00:04:20,070 So let's go back to the filter box and type UDP port equals equals 68 and now we have the Dhcp packets 59 00:04:20,070 --> 00:04:20,730 only. 60 00:04:21,829 --> 00:04:30,140 So the first packet is Dhcp Discover and as I mentioned before, it's broadcast source IP is all zeros 61 00:04:30,140 --> 00:04:32,360 because we don't have an IP address at the moment. 62 00:04:32,510 --> 00:04:35,210 Destination IP is all ones. 63 00:04:35,780 --> 00:04:39,260 255.255 .255.255. 64 00:04:39,290 --> 00:04:41,090 Because it's a broadcast packet. 65 00:04:42,800 --> 00:04:49,910 And right here is bootstrap protocol, which is an application layer protocol used by Dhcp mechanisms. 66 00:04:51,130 --> 00:04:56,590 The second packet is a Dhcp offer packet sent by the Dhcp server. 67 00:04:56,620 --> 00:05:01,330 172.16.99.254 to the Windows system. 68 00:05:01,780 --> 00:05:09,460 Destination IP is 172.16.99.233, which is offered to the Dhcp server. 69 00:05:09,670 --> 00:05:13,480 So in here the destination Mac address is important. 70 00:05:13,870 --> 00:05:16,780 That's what's going to be targeted according to the Mac address. 71 00:05:16,810 --> 00:05:24,190 So as you see the destination Mac address of the Dhcp offer packet is the same as the source mac address 72 00:05:24,190 --> 00:05:26,740 of the dhcp discover packet. 73 00:05:27,840 --> 00:05:33,090 Now, the third packet is the Dhcp request sent by the window system. 74 00:05:33,740 --> 00:05:38,810 It's still a broadcast packet and the source IP is still all zeros. 75 00:05:39,520 --> 00:05:45,740 The message is request and the requested IP address is an option 50. 76 00:05:45,760 --> 00:05:52,900 So if you expand it, you see the requested IP address and it's the same as the offered IP address. 77 00:05:52,900 --> 00:05:56,920 172.16.99.223. 78 00:05:57,220 --> 00:06:03,160 The last packet is Dhcp sent by the Dhcp server to the windows system. 79 00:06:03,780 --> 00:06:07,560 This packet completes the Dhcp mechanism successfully. 80 00:06:08,970 --> 00:06:12,480 So from now on, the IP address of our Windows system is. 81 00:06:12,480 --> 00:06:15,510 172.16.99.223.