Pages

Thursday, 21 October 2021

What is DHCP Snooping? What is Man in the Middle attack? How to configure DHCP Snooping security?


DHCP (Dynamic Host Configuration Protocol) servers are providing all the basic information that the client wants to operate on the network like DNS address, Default Gateway, IP addresses, and subnet. masks and many more.


Imagine a bad guy (attacker) comes up and brings a fake DHCP server machine and runs the exact same subnet as other PCs on the network. now what will happen? the PC broadcast for DHCP request and our attacker servers may send a DHCP reply from its fake DHCP machine with its own IP address to pretend as the default gateway.   





Now when our client receives the reply from the attacker machine. client using the spoofed gateway address and our packets going through the attacker machine first. Yes, maybe the attacker forwards our packets to the correct destination but in the meantime, the attacker examines all our packets and now this scenario becomes a man-in-a-middle attack and our innocent client does not even realize it. 





Cisco switches use the DHCP snooping feature to prevent these types of attacks. when the DHCP server is connected to the switch. switch ports our switch has the option of trusted or untrusted. the legally reliable DHCP server can be found on a trusted port and the rest of the ports are untrusted for the DHCP server. when the DHCP server request comes from the untrusted port our switch prevents all the DHCP requests before they flood the VLAN and discard the request and also puts that untrusted port into to err disable state automatically. DHCP snooping keeps track of the complete DHCP binding.


let's see the configuration of the DHCP snooping attack and how to prevent it from attacking.


Topology: -

 cisco packet tracer 

Goal:

  • configure the topology as per the diagram on the cisco packet tracer
  • configure an IP address on router 1 
  • configure DHCP server on router 1
  • make sure all our clients get all the basic information IP addresses, subnet mask, default gateway, and DNS addresses.
  • configure attacker machine with DHCP server 
  • Restart our client (PC) with STATIC to DHCP and verify whether the basic information has been changed or not (IP CONFIG /ALL)
  • now configure our switch to prevent attackers with DHCP SNOOPING 
  • To prevent the attack, restart our PC with static to DHCP.



Router(config)#interface gigabitEthernet 0/0

Router(config-if)#ip address 10.0.0.1 255.255.255.0

Router(config-if)#no shutdown

Router(config-if)#exit


Router(config)#ip dhcp pool SERVER

Router(dhcp-config)#network 10.0.0.0 255.255.255.0

Router(dhcp-config)#default-router 10.0.0.1

Router(dhcp-config)#dns-server 10.0.0.80

Router(dhcp-config)#exit


Router(config)#ip dhcp excluded-address 10.0.0.1

Router(config)#ip dhcp excluded-address 10.0.0.80

Router(config)#exit



make sure all our client get all the basic information IP addresses, subnet mask, default gateway and DNS address





(FROM PC 1)



Packet Tracer PC Command Line 1.0

C:\>ipconfig /all


FastEthernet0 Connection:(default port)


Connection-specific DNS Suffix..:

Physical Address................: 000B.BE81.0DD7

Link-local IPv6 Address.........: FE80::20B:BEFF:FE81:DD7

IP Address......................: 10.0.0.2

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 10.0.0.1

DNS Servers.....................: 10.0.0.80

DHCP Servers....................: 10.0.0.1

DHCPv6 Client DUID..............: 00-01-00-01-D6-19-05-C4-00-0B-BE-81-0D-D7


Bluetooth Connection:



(FROM PC 2)



Packet Tracer PC Command Line 1.0

C:\>ipconfig /all


FastEthernet0 Connection:(default port)


Connection-specific DNS Suffix..:

Physical Address................: 000B.BE81.0DD7

Link-local IPv6 Address.........: FE80::20B:BEFF:FE81:DD7

IP Address......................: 10.0.0.2

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 10.0.0.1

DNS Servers.....................: 10.0.0.80

DHCP Servers....................: 10.0.0.1

DHCPv6 Client DUID..............: 00-01-00-01-D6-19-05-C4-00-0B-BE-81-0D-D7


Bluetooth Connection:





(FROM PC 3)



:\>ipconfig /all


FastEthernet0 Connection:(default port)


Connection-specific DNS Suffix..:

Physical Address................: 0060.472C.94D8

Link-local IPv6 Address.........: FE80::260:47FF:FE2C:94D8

IP Address......................: 10.0.0.4

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 10.0.0.1

DNS Servers.....................: 10.0.0.80

DHCP Servers....................: 10.0.0.1

DHCPv6 Client DUID..............: 00-01-00-01-D9-76-38-6D-00-60-47-2C-94-D8





  • configure attacker machine with DHCP server 


ATTACKER(config)#interface gigabitEthernet 0/0

ATTACKER(config-if)#ip address 192.168.10.1 255.255.255.0

ATTACKER(config-if)#no shutdown

ATTACKER(config-if)#exit


ATTACKER(config)#ip dhcp pool MIB

ATTACKER(dhcp-config)#network 192.168.10.0 255.255.255.0

ATTACKER(dhcp-config)#default-router 192.168.10.1

ATTACKER(dhcp-config)#dns-server 192.168.10.80

ATTACKER(dhcp-config)#exit


ATTACKER(config)#ip dhcp excluded-address 192.168.10.1

ATTACKER(config)#ip dhcp excluded-address 192.168.10.80

ATTACKER(config)#exit



  • Restart our client (PC) with STATIC to DHCP and verify the basic information has been changed or not (IP CONFIG /ALL)






















(verify the basic information has been changed or not (IP CONFIG /ALL)


FROM PC 1

ATTACKER GOT PC 1


FROM PC 2


ATTACKER GOT PC 2 TOO

                                      

FROM PC 3


ATTACKER GOT ALL OUR PCs


  • now configure our switch to prevent attacker with DHCP SNOOPING 

Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 1


Switch(config)#interface fastEthernet 0/1

Switch(config-if)#ip dhcp snooping trust

Switch(config-if)#exit



Router(config)#ip dhcp relay information trust-all 

Router(config)#exit



  • after prevent the attack restart our PC with static to DHCP.
from router 1 








from router 2








from router 3









Switch#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

1

Insertion of option 82 is enabled

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Interface Trusted Rate limit (pps)

----------------------- ------- ----------------

FastEthernet1/1 no unlimited

FastEthernet2/1 no unlimited

FastEthernet3/1 no unlimited

FastEthernet0/1 yes unlimited



 

Switch#show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- -----------------

00:0B:BE:81:0D:D7 10.0.0.5 86400 dhcp-snooping 1 FastEthernet1/1

00:D0:97:B1:1E:E3 10.0.0.3 86400 dhcp-snooping 1 FastEthernet2/1

00:60:47:2C:94:D8 10.0.0.4 86400 dhcp-snooping 1 FastEthernet3/1

Total number of bindings: 3



 


 


Instagram

Facebook


Twitter



LINKEDIN








at

3 comments:

  1. Anonymous19 July 2022 at 17:52

    Very Useful Information!!
    Thanks

    ReplyDelete
  2. Anonymous19 July 2022 at 22:05

    Great information

    ReplyDelete
  3. Anonymous7 August 2022 at 21:27

    Excellent explanation of IP snooping. Thanks a lot.

    ReplyDelete