WEBVTT

0
00:01.960 --> 00:04.000
Hello guys and welcome!

1
00:04.000 --> 00:09.050
We'll start a series of lectures on DHCP security. At the end

2
00:09.130 --> 00:15.100
you will know how to hack the DHCP and what are the countermeasures you can take.


3
00:15.100 --> 00:20.170
Let's take a look at the purpose of  DHCP and how it works.

4
00:20.170 --> 00:27.460
This is really necessary in order to deeply understand the attacks on the  DHCP and how to mitigate the

5
00:27.460 --> 00:37.180
impact. Dynamic Host Configuration Protocol or DHCP is used to dynamically provide IP addresses and other

6
00:37.180 --> 00:43.180
configuration information to host on the wired or wireless networks.

7
00:43.180 --> 00:49.180
When you connect your mobile phone or your laptop to the WiFi network they will receive all necessary

8
00:49.180 --> 00:57.520
information to communicate on the network and on the Internet like IP address, network mask, default gateway,

9
00:57.790 --> 01:06.690
and DNS servers from the DHCP server which in many cases, especially in small LANs is the router. 

10
01:06.700 --> 01:15.050
The configuration is assigned with a lease time. For the end user DHCP works behind the scenes.

11
01:15.170 --> 01:25.400
Let's see in a nutshell how it really works! The admin sets up the DHCP server and creates pools of addresses

12
01:25.490 --> 01:34.440
available for assignment to the client's, wired or wireless. When a device is turned on and connected

13
01:34.500 --> 01:35.580
to the network

14
01:35.580 --> 01:42.660
if it’s configured to use DHCP for its network configuration , it will send a request to the server, 

15
01:42.960 --> 01:52.080
called DHCPDISCOVER. This first message is a broadcast one and that means that any host on the network

16
01:52.290 --> 01:53.090
will receive it.

17
01:54.280 --> 02:03.020
Maybe there are more the DHCP servers and each server will respond back to the offer. After DISCOVER

18
02:03.020 --> 02:11.000
packet reaches the DHCP server the server reserves an IP address for the client and makes a

19
02:11.000 --> 02:15.910
lease offer by sending a DHCPOFFER  message to the client.

20
02:15.920 --> 02:24.170
This package contains an IP address, a subnet mask, a lease duration and the IP address of the server

21
02:24.170 --> 02:32.590
making the offer. This second message is a Unicast packet  so only the requesting client will receive

22
02:32.590 --> 02:42.010
it. In response to  DHCP offer, the client replies with a DHCPREQUEST message, broadcast to the server, 

23
02:42.250 --> 02:43.740
requesting the offered 

24
02:43.740 --> 02:47.290
address.  Why is this a broadcast packet?

25
02:47.810 --> 02:55.790
It's because a client can receive the DHCP offers from multiple servers but it will accept only one, the

26
02:55.790 --> 03:04.780
DHCP offer. Based on the required server identification option in the request and broadcast messages servers

27
03:04.870 --> 03:08.900
are informed whose offer the client has accepted.

28
03:09.280 --> 03:16.480
And finally the server will send the DHCP acknowledgement packet to confirm the configuration to the

29
03:16.480 --> 03:24.970
client. This packet includes the lease duration and any other configuration information that the client

30
03:25.180 --> 03:27.000
might have requested.

31
03:27.130 --> 03:32.590
At this point the IP address configuration process is completed.

32
03:32.590 --> 03:40.810
If the server decides that the device cannot have the IP address it will send a negative acknowledgment

33
03:41.080 --> 03:47.550
or an NACK packet. When the client leaves the network

34
03:47.550 --> 03:53.910
it could be sent the DHCP Release to inform the server that will deactivate its address.

35
03:54.240 --> 03:58.150
The server can offer this IP address to another client.

36
03:58.820 --> 04:08.040
Let's see if these DHCP messages in Wireshark. I'm opening Wireshark and I am starting the capture on

37
04:08.070 --> 04:09.690
the WiFi interface.

38
04:16.500 --> 04:19.490
It's capturing data.

39
04:19.570 --> 04:23.730
Now I am connecting my mobile phone to the WiFi network.

40
04:24.040 --> 04:31.690
My mobile phone like the vast majority of the phones is configured to automatically set up its network

41
04:31.690 --> 04:37.680
parameters using DHCP and I am connecting it to the network.

42
04:37.690 --> 04:40.590
You won't see this, I have the phone in my hand!

43
04:43.370 --> 04:48.520
You are seeing a lot of traffic but I am filtering to see only the DHCP packets.

44
04:50.400 --> 04:56.080
So I am applying a display filter DHCP; perfect!

45
04:56.450 --> 05:03.860
If it doesn't recognize that the DHCP filter option, especially in older versions of Wireshark, you cant

46
05:03.860 --> 05:07.040
write boot p as well. so bootp

47
05:10.570 --> 05:11.440
Bootp

48
05:11.610 --> 05:22.450
or boot protocol is in fact an older version of the DHCP like a legacy DHCP. Both options are working

49
05:22.690 --> 05:34.550
but I'm writing back DHCP and we notice the broadcasted discovery message sent by the phone.

50
05:34.670 --> 05:41.960
This was received by any host on the network including this Windows machine then the server responded

51
05:41.960 --> 05:50.390
back with an offer sent to unicast. We can't see the packet on another host, like on this Windows

52
05:50.390 --> 05:58.850
machine, because it's a unicast packet. And in the third step the phone has requested the offer

53
05:59.120 --> 06:08.320
sending a broadcast message that we can see in Wiresharc.  Now that you know in detail how DHCP works

54
06:08.510 --> 06:12.850
let's go ahead and take a look at the attacks on DHCP.

55
06:12.930 --> 06:21.600
Note that the attacks could happen due to lack of any authentication mechanism between DHCP server and

56
06:21.710 --> 06:28.110
the DHCP clients. There are mainly the following types of attacks:

57
06:28.320 --> 06:34.900
The DHCP flooding, the DHCP starvation and DCP rogue server.

58
06:35.120 --> 06:39.980
Let's take them one by one! In a DFCP flooding attack

59
06:39.990 --> 06:46.140
the hacker will flood the server with fake DHCP discover messages.

60
06:46.140 --> 06:53.850
The server will start processing these messages and become unavailable for legitimate clients that will

61
06:53.850 --> 06:56.420
not receive an IP configuration.

62
06:56.430 --> 06:58.470
This is a denial of service attack.

63
07:00.290 --> 07:06.510
The DHCP starvation attack occurs when an attacker constantly sends fake

64
07:06.520 --> 07:12.230
DHCP requests with spoofed MAC addresses to the DHCP server.

65
07:12.230 --> 07:19.280
Eventually, there are no more IP addresses available to allocate to legitimated devices and the network

66
07:19.280 --> 07:21.080
becomes unusable.

67
07:21.080 --> 07:24.460
This is also a denial of service attack.

68
07:24.500 --> 07:34.380
DHCP peak, DHCP starve, Gobbler or Yersina are tools that can perform these attacks. We'll

69
07:34.380 --> 07:39.030
see them live in the next lectures. And the last attack

70
07:39.040 --> 07:47.470
we are talking about is called DHCP rogue server. A rogue DHCP server is a server set up on the network

71
07:47.500 --> 07:55.080
by an attacker or by an unaware user and is not under the control of the network admin. Using rogue

72
07:55.090 --> 07:55.840
server

73
07:55.840 --> 08:03.570
the attacker can start sending IP addresses and other configuration settings to the network DHCP clients.

74
08:03.640 --> 08:11.620
These configuration settings include default gateway and the DNS server IP addresses that are not the

75
08:11.620 --> 08:19.610
legitimate once but are of the attacker or under its control. Once the default gateway IP address of

76
08:19.610 --> 08:22.270
the network devices is changed

77
08:22.400 --> 08:29.920
the network hosts start sending the traffic destined to outside networks to the attacker's computer.

78
08:30.110 --> 08:36.050
The hacker can now capture sensitive user data and launch a man-in-the-middle attack.

79
08:36.050 --> 08:40.100
This is also called a DHCP spoofing attack.

80
08:40.100 --> 08:48.820
Hackers can also set up a rogue DNS server and deviate the user traffic to fake websites and launch

81
08:48.890 --> 08:51.910
phishing attacks. Okay!

82
08:52.040 --> 08:55.440
In this lecture we have seen how the DHCP works,

83
08:55.550 --> 09:02.360
what are the security problems and how a hacker could attack the DHCP. In the next lectures

84
09:02.360 --> 09:06.010
I'll show you live examples of these attacks.