1
00:00:00,200 --> 00:00:02,680
In Dhcp spoofing attacks.

2
00:00:02,690 --> 00:00:06,350
The attacker places a rogue Dhcp server on the network.

3
00:00:07,100 --> 00:00:13,130
There are two main features of the Dhcp mechanism that emerges the Dhcp spoofing attack.

4
00:00:14,100 --> 00:00:19,680
First, there's no authentication process and priority in the Dhcp mechanism.

5
00:00:20,330 --> 00:00:27,260
Second, as clients are turned on and request an address, the server with a fastest response is used.

6
00:00:27,990 --> 00:00:33,990
So if the device receives a response from the rogue server first, the rogue server can assign any address

7
00:00:33,990 --> 00:00:37,530
as well as control which device it uses as a gateway.

8
00:00:38,560 --> 00:00:45,970
So a well-designed attack can funnel traffic from local hosts to a rogue server that logs all the traffic

9
00:00:45,970 --> 00:00:51,520
and then forwards that traffic out to the correct gateway to the device.

10
00:00:51,520 --> 00:00:55,120
And this action would be almost transparent.

11
00:00:55,120 --> 00:00:55,720
Right?

12
00:00:56,400 --> 00:01:00,480
Thus, the attacker can steal information pretty much invisibly.

13
00:01:00,570 --> 00:01:02,220
How are you going to how are you going to find that?

14
00:01:02,930 --> 00:01:04,220
That's why you're here.

15
00:01:05,000 --> 00:01:07,120
Let me clue you in on another important point.

16
00:01:07,130 --> 00:01:14,870
While setting up a rogue Dhcp server, it's we cannot be so sure whether the client received the settings

17
00:01:14,870 --> 00:01:17,480
of the rogue server or the legitimate server.

18
00:01:18,490 --> 00:01:24,430
That's why it's way better to use the Dhcp spoofing attack with the Dhcp starvation attack.

19
00:01:24,640 --> 00:01:25,300
All right.

20
00:01:25,420 --> 00:01:34,510
In a Dhcp starvation attack, an attacker broadcasts a large number of Dhcp request messages with spoofed

21
00:01:34,510 --> 00:01:36,160
source Mac addresses.

22
00:01:36,890 --> 00:01:44,150
If the legitimate Dhcp server in the network starts responding to all these bogus Dhcp request messages

23
00:01:44,180 --> 00:01:50,420
available, IP addresses and the Dhcp server scope will be depleted within a very short span of time.

24
00:01:51,640 --> 00:01:59,110
Now, once the available number of IP addresses in the Dhcp server is depleted, network attackers can

25
00:01:59,140 --> 00:02:06,140
then set up a rogue Dhcp server and respond to new Dhcp requests from the network.

26
00:02:06,160 --> 00:02:07,690
Dhcp clients.

27
00:02:07,870 --> 00:02:16,180
By setting up a rogue Dhcp server, the attacker can now launch a whole Dhcp spoofing attack.

28
00:02:17,560 --> 00:02:23,740
So here is how we can perform a Dhcp spoof attack together with Dhcp.

29
00:02:23,740 --> 00:02:25,000
Starvation attack.

30
00:02:25,600 --> 00:02:32,080
So we'll create a lot of Dhcp discovery packets to request new IP addresses from the Dhcp server.

31
00:02:32,600 --> 00:02:35,870
Dhcp server replies to these requests.

32
00:02:38,180 --> 00:02:40,010
IP address space is limited.

33
00:02:40,610 --> 00:02:45,680
For example, a Class C subnet has about 250 IP addresses available.

34
00:02:46,830 --> 00:02:54,240
So since the IP addresses are used for fake Mac addresses, there aren't any more IP addresses for legitimate

35
00:02:54,240 --> 00:02:54,930
clients.

36
00:02:56,310 --> 00:03:03,030
Dhcp cannot respond to the new requests and the clients which cannot have IP addresses become out of

37
00:03:03,030 --> 00:03:03,660
service.

38
00:03:04,290 --> 00:03:10,830
So now we'll set up a rogue Dhcp server, which is the only server to respond to the client's IP address

39
00:03:10,830 --> 00:03:11,400
requests.

40
00:03:11,430 --> 00:03:12,060
Right now.

41
00:03:12,940 --> 00:03:19,810
The Rogue Dhcp server starts distributing IP addresses and other TCP IP configuration settings to the

42
00:03:19,810 --> 00:03:21,640
network Dhcp clients.

43
00:03:22,450 --> 00:03:28,630
TCP IP configuration settings include Default Gateway and DNS server IP addresses.

44
00:03:30,130 --> 00:03:37,150
So now we can replace the original legitimate default gateway IP address and DNS server IP address with

45
00:03:37,150 --> 00:03:39,310
our own IP address.

46
00:03:42,220 --> 00:03:48,430
Once the default gateway IP address of the network devices are changed, the network client starts sending

47
00:03:48,430 --> 00:03:52,150
the traffic destined to outside networks to the attacker's computer.

48
00:03:52,880 --> 00:03:58,070
The attacker can now capture sensitive user data and launch a man in the middle attack.