DHCP Spoofing

Information

• Name: DHCP Spoofing

• ID: T1557.003

• Tactics: TA0006, TA0009

• Technique: T1557

Introduction

DHCP Spoofing (T1557.003) is a sub-technique under the MITRE ATT&CK framework categorized within "Adversary-in-the-Middle" techniques. DHCP spoofing involves an adversary deploying a rogue DHCP server or spoofing DHCP responses to redirect network traffic through attacker-controlled infrastructure. This enables attackers to intercept, monitor, manipulate, or disrupt the victim’s network communications, often leading to further compromise or data exfiltration.

Deep Dive Into Technique

Dynamic Host Configuration Protocol (DHCP) is a network management protocol that dynamically assigns IP addresses and network configuration parameters to devices on a network. DHCP spoofing occurs when an adversary sets up a malicious DHCP server or sends spoofed DHCP responses to trick client devices into accepting incorrect network configurations. The attack typically unfolds as follows:

1. Malicious DHCP Server Deployment:

   • The attacker introduces a rogue DHCP server into the network.

   • The rogue server responds faster than the legitimate DHCP server, causing client devices to accept the attacker’s DHCP offer.

   • Clients receive malicious network configurations, such as manipulated default gateways or DNS servers.

2. DHCP Reply Spoofing:

   • The attacker passively monitors DHCP requests on the network.

   • Upon detecting a DHCP DISCOVER or REQUEST message, the attacker quickly sends a spoofed DHCP OFFER or ACK response.

   • The client device accepts the spoofed response due to its faster arrival, resulting in compromised network settings.

Technical mechanisms and tools commonly associated with DHCP spoofing include:

• Use of network penetration testing tools such as Yersinia, Ettercap, or DHCPig to automate DHCP spoofing attacks.

• Manipulation of network parameters, including DNS addresses, default gateways, subnet masks, and IP address ranges.

• Exploitation of network devices with insufficient security configurations, such as unmanaged switches or lack of DHCP snooping features.

Real-world procedures often involve attackers leveraging DHCP spoofing to execute Man-in-the-Middle (MitM) attacks, intercept sensitive communications, redirect victims to phishing sites, or facilitate lateral movement within compromised networks.

When this Technique is Usually Used

DHCP spoofing is commonly employed in various attack scenarios and stages:

• Initial Access and Reconnaissance:

  • Attackers deploy DHCP spoofing to intercept network traffic, gather sensitive information, and map network topology.

  • Facilitates passive reconnaissance, allowing attackers to identify potential targets, vulnerabilities, or valuable assets.

• Credential Harvesting and Data Theft:

  • Spoofed DHCP responses redirect traffic through attacker-controlled infrastructure, enabling interception and capture of credentials, session tokens, or sensitive data.

  • Attackers leverage captured credentials to escalate privileges, compromise additional systems, or exfiltrate sensitive information.

• Man-in-the-Middle Attacks:

  • DHCP spoofing is frequently combined with MitM techniques to intercept, modify, or relay network communications unnoticed.

  • Attackers manipulate DNS settings to redirect users to malicious websites or phishing pages.

• Network Disruption and Denial-of-Service (DoS):

  • Attackers intentionally distribute incorrect network parameters, causing network outages, connectivity issues, or service disruptions, often as part of broader denial-of-service attacks.

• Lateral Movement and Persistence:

  • Once attackers gain initial footholds, DHCP spoofing facilitates lateral movement by intercepting credentials or sensitive network communications.

  • Attackers maintain persistence by continuously intercepting traffic and adjusting network configurations to evade detection.

How this Technique is Usually Detected

Detection of DHCP spoofing attacks involves various methods, tools, and indicators of compromise (IoCs):

• DHCP Snooping Implementation:

  • Network switches configured with DHCP snooping can detect and block unauthorized DHCP responses.

  • DHCP snooping validates DHCP messages and prevents rogue DHCP servers from assigning IP addresses.

• Network Traffic Monitoring and Analysis:

  • Continuous monitoring of network traffic using intrusion detection systems (IDS) or network security monitoring (NSM) tools.

  • Detection of multiple DHCP responses from different MAC addresses or unexpected DHCP servers.

• Security Information and Event Management (SIEM) Solutions:

  • Centralized log aggregation and analysis to detect abnormal DHCP server activity or unexpected network configuration changes.

  • Alerts triggered by unusual DHCP server activity or suspicious DHCP lease assignments.

• Endpoint and Host-Based Detection:

  • Endpoint security solutions detecting unexpected network configuration changes, such as DNS or default gateway modifications.

  • Host-based firewall alerts indicating suspicious DHCP traffic or unexpected DHCP server addresses.

• Indicators of Compromise (IoCs):

  • Unexpected DHCP server IP addresses or MAC addresses appearing in network logs.

  • Presence of unauthorized DHCP servers detected through network scans or asset management tools.

  • Sudden changes in DNS servers or default gateways without administrative approval.

Why it is Important to Detect This Technique

Early detection of DHCP spoofing attacks is critical due to their potential impact on system and network security:

• Data Interception and Theft:

  • Attackers intercept sensitive data, including credentials, financial information, intellectual property, or personally identifiable information (PII).

  • Early detection prevents significant data breaches and mitigates data loss.

• Credential Compromise and Privilege Escalation:

  • DHCP spoofing enables attackers to capture credentials, facilitating unauthorized access, privilege escalation, and lateral movement.

  • Detection prevents attackers from gaining persistent footholds and limits damage scope.

• Network Disruption and Downtime:

  • Malicious DHCP configurations lead to network outages, degraded performance, or denial-of-service conditions.

  • Early detection minimizes operational disruptions, maintaining business continuity and productivity.

• Reputation and Compliance Risk:

  • Undetected DHCP spoofing incidents may lead to regulatory non-compliance, data breaches, and reputational damage.

  • Timely detection demonstrates proactive security posture, compliance adherence, and reduces legal or regulatory risks.

• Facilitating Further Attacks:

  • DHCP spoofing serves as a gateway to more severe attacks, such as MitM, lateral movement, or ransomware deployment.

  • Early detection disrupts attacker kill-chains, preventing escalation and minimizing overall impact.

Examples

Real-world examples showcasing DHCP spoofing attacks, tools used, and associated impacts include:

• Yersinia Tool Usage:

  • Attackers utilize the Yersinia penetration testing framework to launch DHCP spoofing attacks, intercept network traffic, and redirect users to malicious servers.

  • Impact includes credential theft, unauthorized access, and data exfiltration.

• Ettercap for MitM Attacks:

  • Ettercap, a popular network interception tool, is frequently leveraged alongside DHCP spoofing to perform MitM attacks on local networks.

  • Attackers capture sensitive data, manipulate network communications, and redirect users to phishing sites.

• Corporate Network Intrusion:

  • In 2019, attackers compromised a corporate network by deploying a rogue DHCP server, redirecting employee traffic through attacker-controlled infrastructure.

  • Resulted in significant credential compromise, unauthorized access to sensitive resources, and data exfiltration incidents.

• University Campus Attack Scenario:

  • Attackers targeted a university campus network using DHCP spoofing, redirecting student and faculty network traffic.

  • Attackers captured login credentials, gained unauthorized access to academic resources, and disrupted network services, impacting productivity and causing significant remediation efforts.

• Financial Sector Incident:

  • Financial institutions have experienced DHCP spoofing attacks, redirecting internal traffic to malicious DNS servers.

  • Attackers successfully harvested credentials, accessed sensitive financial data, and initiated fraudulent transactions, resulting in substantial financial losses and compliance violations.