WEBVTT 0 00:01.540 --> 00:02.830 Welcome back! 1 00:02.830 --> 00:10.390 In the last lecture we've executed a Discover flooding attack on the DHCP server which is also the default 2 00:10.390 --> 00:12.320 gateway of the lan. 3 00:12.330 --> 00:19.240 Now I'll show you a starvation attack which can have far more impact on the network and its users. 4 00:19.240 --> 00:26.410 This time the attacker will not flood the DHCP server with hundreds of discov requests per second 5 00:26.710 --> 00:34.960 but he will instead send the discov request packets at a slower rate allowing the DHCP to properly 6 00:34.960 --> 00:36.580 handle them. 7 00:36.580 --> 00:43.180 He will keep track of sent discover messages and wait for the matching OFFER replies. 8 00:43.180 --> 00:50.870 Finally the hacker will send REQUEST messages in reaction to the received OFFERs, confirming the IP 9 00:50.890 --> 00:53.540 lease. In just a few seconds 10 00:53.590 --> 01:01.210 all available IP addresses will be leased meaning that there will be no available IP any more to 11 01:01.210 --> 01:07.210 send to newly connected devices preventing them from accessing the network. 12 01:07.270 --> 01:10.960 It's the classical definition of a denial of service attack. 13 01:10.960 --> 01:14.720 Okay, let's go work. To launch of the attack 14 01:14.720 --> 01:19.170 I'm gonna use another tool called the DHCPig. 15 01:19.280 --> 01:25.640 It has a good implementation of this attack and there are tons of available options 16 01:29.160 --> 01:37.370 The DHCPig is written in Python, has been tested on multiple Linux distributions and multiple the DHCP 17 01:37.370 --> 01:46.110 servers and uses the scapy library. Even though it has a lot of options to start a basic starvation 18 01:46.110 --> 01:46.750 attack 19 01:46.770 --> 01:49.560 no configuration is necessary. 20 01:49.560 --> 01:54.740 Just pass the interface as a parameter to the dhcpig command. 21 01:56.840 --> 02:04.730 I'm gonna use the Linux Mint but you can use any Linux distribution you wish including Kali; you will 22 02:04.730 --> 02:06.560 use it in the same way! 23 02:06.970 --> 02:14.990 DHCPig is not installed but it belongs to the standard repositories so I'm gonna install it using 24 02:15.140 --> 02:17.840 apt. As root 25 02:17.880 --> 02:20.290 I'm executing apt 26 02:20.460 --> 02:26.200 update && apt install 27 02:26.210 --> 02:26.780 dhcpig 28 02:36.140 --> 02:39.260 Okay, it was successfully installed! 29 02:39.350 --> 02:48.050 I'm checking the machine's IP and then launching the attack dhcpig and the interface. 30 02:48.050 --> 02:51.680 In this case it's enp0s3 31 03:02.720 --> 03:10.130 We notice how it’s sending DHCP Discover packets, waiting for the Offer packets and then completes 32 03:10.190 --> 03:13.280 the entire IP allocation process. 33 03:13.280 --> 03:20.180 If you want to go deeper start Wireshark and see exactly what it sends and receives back from the 34 03:20.180 --> 03:21.500 server. 35 03:21.530 --> 03:23.270 Okay, done! 36 03:23.270 --> 03:31.990 DHCP pool exhausted! This is that the DHCP server which is also the router and the victim of the 37 03:31.990 --> 03:32.910 attack. 38 03:32.950 --> 03:38.410 Let's check the logs of the DHCP server. And we see here 39 03:38.480 --> 03:47.510 tons of requests received from DHCP peak and acknowledgements sent back by the server; all IP configurations 40 03:47.660 --> 03:49.990 have been already offered. 41 03:50.300 --> 03:55.380 If a legitimate client boots up it won't receive anything. 42 03:55.780 --> 03:58.850 The DHCPig goes even farther. 43 03:58.910 --> 04:07.340 Once there are no more free leases it will try to disconnect all Windows machines by simulating IP addresses 44 04:07.550 --> 04:12.000 conflicts by sending gratuitous ARP packets. 45 04:12.110 --> 04:19.610 This results in the Windows machines dropping their current address to fetch a new one from the DHCH server 46 04:19.850 --> 04:25.720 but at that time there are no more IP addresses available. Okay! 47 04:25.770 --> 04:33.080 That's all about the DHCP starvation attack. To bring my network back into its normal parameters 48 04:33.080 --> 04:34.880 I think I'm gonna restart the router.