CAPEC-697 Detail

CAPEC-697

Name

DHCP Spoofing

Likihood attacks

Low

Typical Severity

High

Status

Stable

Published

2022-09-29
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.

Informations CAPEC

Execution Flow

1) Explore

[Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.

Technique

Adversary observes LAN traffic for DHCP solicitations

2) Experiment

[Capture the DHCP DISCOVER message] The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages.

Technique

Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.

3) Exploit

[Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.

Technique

Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.

Prerequisites

The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.

Skills Required

The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results.

Resources Required

The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.

Mitigations

Design: MAC-Forced Forwarding
Implementation: Port Security and DHCP snooping
Implementation: Network-based Intrusion Detection Systems

Related Weaknesses

CWE-ID	Weakness Name
CWE-923	Improper Restriction of Communication Channel to Intended Endpoints The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

References

REF-737

DHCP Spoofing 101
Yuval Lazar.
https://pentera.io/blog/dhcp-spoofing-101

REF-738

DHCP Spoofing 101
T. Melsen, S. Blake, Ericsson.
https://www.rfc-editor.org/rfc/rfc4562.html

REF-739

DHCP Spoofing 101
Bosco Sebastian.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dhcp-client-remote-code-execution-vulnerability-demystified/

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00

CAPEC-697 Detail

CAPEC-697

Descriptions CAPEC

Informations CAPEC

Execution Flow

Prerequisites

Skills Required

Resources Required

Mitigations

Related Weaknesses

CWE-923

References

REF-737

REF-738

REF-739

Submission