Vulnerability Development mailing list archives
Re: DHCP man in the middle attack
From: Andrew <notfrombill () gates com>
Date: Fri, 4 Oct 2002 12:42:45 +0200 (SAST)
Apologies for the long delay on this almost-dead thread ... At 12:02am Sep 21 root () networkpenetration com wrote: //snip
A couple of problems with the man in the middle attack ------------------------------------------------------
//snip
Another problem with the attack is that it would only be a one way attack as the default gateway assigned by the rogue DHCP server is not the real default gateway. The fake gateway would need to sniff the packets and rewrite the MAC layer to enable the packets to be sent to the correct default gateway. The problem would occur with packets being sent from the correct default gateway back to the attacked machine as the packets would not pass through the rogue gateway, thus can not be sniffed. This basically means that all outgoing traffic can be sniffed and all incoming traffic can't. A full man in the middle attack can be established using programs such as Dsniff and Ettercap which both utilise ARP poisoning to establish the man in the middle attack.
//snip How about: In order to obtain incoming and outgoing traffic, the fake gateway assigns the victim an IP address on an unused private subnet, and NATs the traffic to and from the victim. #! /untested/code DHCPASSIGNED=192.168.155.3 # What the real DHCP server assigned PRIVIP=172.16.155.3 # What the fake server assigned iptables -t nat -A PREROUTING -d $REAL -j DNAT --to $PRIVIP iptables -t nat -A POSTROUTING -s $PRIVIP -j SNAT --to $REAL (Alternatively, the fake gateway could advertise its route to the victim via RIP for an neater exploit .. I think.) &:-)
Current thread:
- Re: DHCP man in the middle attack Andrew (Oct 04)