Episode 702 – DHCP Exhaustion and DNS Man-in-the-Middle
With a mixture of in-studio and on location in Dublin this week we’re talking to Robin Wood about DHCP Exhaustion and DNS Man-in-the-Middle attacks, talking Metasploit modules and a Pineapple Monkey half-breed.
Download HD Download MP4 Download XviD Download WMV
DHCP Exhaustion and DNS Man-in-the-Middle Attacks
Rather than your typical ARP based Man-In-The-Middle attack, Robin wood brings us two metasploit modules for both denial of service attacking a DHCP server and deploying a rogue DHCP server of your own with a DNS MiTM to boot. Check out the Metasploit DNS and DHCP Exhaustion – BETA at Digininja.org.
The JasagerInterceptor – a Pineapple Monkey mashup
This week we take a look within the community and highlight some of the awesome work done by Beakmyn. In an answer to Deathray’s thread on a Jasager with a network tap like the Interceptor, he brings you just such project. Behold the JasagerInterceptor. I’ve seen it with my own eyes at Shmoocon and I must say it’s a nifty bit of kit.
DHCP Exhaustion, loving it. I see it also being us full on your own network of you want to make 100% sure that no rogue device shows up, nab all the IPs for yourself so nobody is able to connect!(cant help but think I’m stating the obvious here lol) Great episode as always, wish you could have come down south of UK Darren!
Peace
What, no mention of how to help prevent against this type of attack??
1. Shorten your DHCP lease times. DHCP clients issue a DHCPREQUEST to renew their lease prior to the end of the lease. I believe most clients wait until the lease is 1/2 over to issue the first DHCPREQUEST.
2. Watch your network for rogue DHCP servers. If someone else is issuing DHCPOFFER packets you can monitor this using your IDS/IPS and take action.
3. Segment your network and only allow DHCPREQUEST traffic to be relayed to your DHCP server.
Or as soupman said, take all the ip’s for yourself. Also on my router (Netgear) you can restrict the range of ip’s it will hand out, so if i only have say 2 pc’s i need wireless with, i can change it from 192.168.0.1-192.168.0.254 to 192.168.0.1-192.168.0.3.
btw, check out the latest NASA “live” server vulnerabilities at pinoysecurity.blogspot.com just don’t deface them ok?
Whats with all the voting people down? Not cool :/
Heaven forbid some people have differences in opinions