CAPEC-697: DHCP Spoofing
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
执行流程
步骤 1 Explore
[Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.
- Adversary observes LAN traffic for DHCP solicitations
步骤 2 Experiment
[Capture the DHCP DISCOVER message] The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages.
- Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.
步骤 3 Exploit
[Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.
- Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.
前提条件
- The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.
所需技能
所需资源
- The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.
后果影响
影响范围: Confidentiality Access Control
技术影响: Read Data
影响范围: Integrity Access Control
技术影响: Modify Data
影响范围: Availability
技术影响: Resource Consumption
缓解措施
Design: MAC-Forced Forwarding
Implementation: Port Security and DHCP snooping
Implementation: Network-based Intrusion Detection Systems
示例实例
In early 2019, Microsoft patched a critical vulnerability (CVE-2019-0547) in the Windows DHCP client which allowed remote code execution via crafted DHCP OFFER packets. [REF-739]
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1557.003 | Adversary-in-the-Middle: DHCP Spoofing |