WiFi MITM (DHCP Exhaustion) Attack
Hello Again.
I will be using this blog as knowledge base for me. I will be posting stuff that I learned about so I could go back and remember them when I need. One more thing before I start, anything posted in this blog is for educational purpose only and I am not responsible about any malicious usage of the information.
okay let start with a new attack I just read about. A new way to do MITM attack that I think could be used in both WiFi and wired networks.But its WiFi usage is more interesting so i will explain the attack with the WiFi version of the attack in mind.
So a lot of people know about the traditional man in the middle (MITM) attack which involves Arp poisoning. For those who don’t know about it you can google it and you’ll find lots of resources that explains it better than i will. I might explain it in another post later but i won’t promise to do so :). Okay back to the subject at hand. So lets say you are in a cafe where there is a WiFi network. You connect to the wifi network and everything is great. Lets say that you want to do a MITM attack without overloading the network with Arp requests (which is not the best thing to do on WiFi networks). One way to do it the new attack I want to write about today, “DHCP Server Exhaustion”. It might not really be a new attack but i just learned about it.
So what is a DHCP Server. DHCP Server is the thing in the router that gives away IP addresses to new machine joining the network. What happens is that when you connect your machine to the wifi network, in the cafe we were talking about, you machine send out a broadcast that it needs an IP. The DHCP server replies with a free IP for your machine to use and It also replies with the default gateway IP, subnet mask and DNS server IP.
So back to our story. you’re connected to the wifi network and you launch a script that keeps broadcasting these DHCP requests asking for an IP with different, spoofed, mac addresses. This goes on untill the DHCP server runs out of IPs. usually a network such as the one in the cafe we are taking about will have 255 IPs. one IP used for the gateway which is the router, one used for broadcast and one for you machine. then you will have only 252 ips to request until you exhaust the DHCP server. What happenes if you exhaust the DHCP server and another machine joins the network and does a broadcast asking for a new ip?. Nothing. The DHCP server doesn’t reply. Not even to say that there is no IPs left. This is interesting cause now you can start your own DHCP server on your machine and set it to send out an IP with the gateway being you machine and a DNS server also being you machine. So now the victim thinks that he is connected to the network and everything looks normal. But it’s not. you are now in the middle between the victim and the internet. MITM attack was achieved without bombarding the network with Arp requests and even if there is a tool watching for arp positing on the network it won’t notice the attack.
So what if the victim already acquired an ip before i join the network and started my attack? well since you are on a WiFi network you can do a de-authentication attack where you disconnect all the clients from the wifi network and force them to rejoin and resend the DHCP broadcast packet.
Notice that you need to set up routing on you machine so that when the victim requests google.com you can forward the request and return the response back to the victim without him noticing. All the requests from the victim is routed through you so you can do lots of stuff from sniffing credentials to browser exploitation.
I know that the description is not the best and some of my info might not be totally correct but i think you get the idea. Is there any tools to do the thing you described? Yes, but I didn’t try them. When i do i might do another post about how to use the tools to do the attack.
Husseink's Blog 