CAPEC-697: DHCP Spoofing
An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.
Last updated
Overview
DHCP is broadcast to the entire Local Area Network (LAN) and does not have any form of authentication by default. Therefore, it is susceptible to spoofing. An adversary with access to the target LAN can receive DHCP messages; obtaining the topology information required to potentially manipulate other hosts' network configurations. To improve the likelihood of the DHCP request being serviced by the Rogue server, an adversary can first starve the DHCP pool.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.
- Adversary observes LAN traffic for DHCP solicitations
- Step 2Experiment
[Capture the DHCP DISCOVER message] The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages.
- Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.
- Step 3Exploit
[Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.
- Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.
What the attacker needs
Prerequisites
- The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.
Skills required
- Medium skill: The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results.
Resources required
- The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.
Consequences
What a successful CAPEC-697 attack can achieve.
Read Data
Affects: Confidentiality, Access Control
Modify Data, Execute Unauthorized Commands
Affects: Integrity, Access Control
Resource Consumption
Affects: Availability
How to mitigate it
Defenses that reduce the risk of CAPEC-697.
- Design: MAC-Forced Forwarding
- Implementation: Port Security and DHCP snooping
- Implementation: Network-based Intrusion Detection Systems
Examples
In early 2019, Microsoft patched a critical vulnerability (CVE-2019-0547) in the Windows DHCP client which allowed remote code execution via crafted DHCP OFFER packets. [REF-739]
Terminology & mappings
Mapped taxonomies
- ATTACK: Adversary-in-the-Middle: DHCP Spoofing (1557.003)
Frequently asked questions
Common questions about CAPEC-697.
- What is CAPEC-697?
- An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.
- How does a DHCP Spoofing attack work?
- It typically unfolds over 3 phases. It begins with: [Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.
- How do you prevent CAPEC-697?
- Design: MAC-Forced Forwarding
- What weaknesses does CAPEC-697 target?
- CAPEC-697 exploits 1 CWE weakness, including CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints).
- How severe is CAPEC-697?
- MITRE rates CAPEC-697 as High severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-697
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.