Re: DHCP man in the middle attack

[Andrew <notfrombill () gates com>]

Apologies for the long delay on this almost-dead thread ...

At 12:02am Sep 21 root () networkpenetration com wrote:

//snip
> A couple of problems with the man in the middle attack
> ------------------------------------------------------
//snip
> Another problem with the attack is that it would only be a one
> way attack as the default gateway assigned by the rogue DHCP
> server is not the real default gateway. The fake gateway would
> need to sniff the packets and rewrite the MAC layer to enable
> the packets to be sent to the correct default gateway. The
> problem would occur with packets being sent from the correct
> default gateway back to the attacked machine as the packets
> would not pass through the rogue gateway, thus can not be
> sniffed. This basically means that all outgoing traffic can be
> sniffed and all incoming traffic can't.
>
> A full man in the middle attack can be established using
> programs such as Dsniff and Ettercap which both utilise ARP
> poisoning to establish the man in the middle attack.
//snip

How about: In order to obtain incoming and outgoing traffic, the
fake gateway assigns the victim an IP address on an unused
private subnet, and NATs the traffic to and from the victim.

 #! /untested/code
 DHCPASSIGNED=192.168.155.3  # What the real DHCP server assigned
 PRIVIP=172.16.155.3         # What the fake server assigned
 iptables -t nat -A PREROUTING -d $REAL -j DNAT --to $PRIVIP
 iptables -t nat -A POSTROUTING -s $PRIVIP -j SNAT --to $REAL

(Alternatively, the fake gateway could advertise its route to the
victim via RIP for an neater exploit .. I think.)

&:-)