Hello Guys,
I'm writing a multi-purpose network exploitation tool and I'm towards the end. One of the functions my tool does is DHCP Exhaustion which works great on my network at work (2k3 DHCP Server). But when I try to use it on my laptop connected to wifi somewhere(House, or android phone), the router doesn't respond to the DHCP Discovers.
The program generates a random MAC Address for each DHCP Discover packet it sends out. I'm starting to think the generated MAC might have to be authenticated against the router before it will respond to it.
I have included a text representation of a DHCP Discover packet sent from my program at the bottom. I dont know how well its going to be formatted in this post but hopefully it will be readable. I tried to just attach it as a txt file, but apparently txt files are to dangerous for me to upload. lol
Any Ideas?
Thanks,
No. Time Source Destination Protocol Info
22 2.360908 0.0.0.0 255.255.255.255 DHCP DHCP Discover - Transaction ID 0x502100d
Frame 22: 331 bytes on wire (2648 bits), 331 bytes captured (2648 bits)
Arrival Time: Jan 6, 2011 08:43:29.343771000 EST
Epoch Time: 1294321409.343771000 seconds
[Time delta from previous captured frame: 0.124144000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 2.360908000 seconds]
Frame Number: 22
Frame Length: 331 bytes (2648 bits)
Capture Length: 331 bytes (2648 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: 25:91:80:72:09:49 (25:91:80:72:09:49), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: 25:91:80:72:09:49 (25:91:80:72:09:49)
Address: 25:91:80:72:09:49 (25:91:80:72:09:49)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 317
Identification: 0x0000 (0)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (17)
Header checksum: 0x39a1 [correct]
[Good: True]
[bad: False]
Source: 0.0.0.0 (0.0.0.0)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Source port: bootpc (68)
Destination port: bootps (67)
Length: 297
Checksum: 0xd6d8 [validation disabled]
[Good Checksum: False]
[bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0x0502100d
Seconds elapsed: 0
Bootp flags: 0x8000 (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: 25:91:80:72:09:49 (25:91:80:72:09:49)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (53) DHCP Message Type
Length: 1
Value: 01
Option: (t=116,l=1) DHCP Auto-Configuration = AutoConfigure
Option: (116) DHCP Auto-Configuration
Length: 1
Value: 01
Option: (t=61,l=7) Client identifier
Option: (61) Client identifier
Length: 7
Value: 01259180720949
Hardware type: Ethernet
Client MAC address: 25:91:80:72:09:49 (25:91:80:72:09:49)
Option: (t=12,l=4) Host Name = "Howl"
Option: (12) Host Name
Length: 4
Value: 486f776c
Option: (t=60,l=8) Vendor class identifier = "ISFT 5.0"
Option: (60) Vendor class identifier
Length: 8
Value: 4953465420352e30
Option: (t=55,l=11) Parameter Request List
Option: (55) Parameter Request List
Length: 11
Value: 010f03062c2e2f1f21f92b
1 = Subnet Mask
15 = Domain Name
3 = Router
6 = Domain Name Server
44 = NetBIOS over TCP/IP Name Server
46 = NetBIOS over TCP/IP Node Type
47 = NetBIOS over TCP/IP Scope
31 = Perform Router Discover
33 = Static Route
249 = Private/Classless Static Route (Microsoft)
43 = Vendor-Specific Information
Option: (t=43,l=2) Vendor-Specific Information
Option: (43) Vendor-Specific Information
Length: 2
Value: dc00
End Option