digininja Posted May 3, 2010 Author Posted May 3, 2010 I've just patched this all up and it now works in Ruby 1.9.x, woo! Grab the latest version from http://www.digininja.org/metasploit/dns_dhcp.php or hang on for a short while and the pair of modules will be added to the Metasploit SVN tree. Quote
digininja Posted May 9, 2010 Author Posted May 9, 2010 Forgot to post here, I re-released these modules with fixes so they work with ruby 1.9 and no longer require a RHOST to be set. Grab them from my site http://www.digininja.org/metasploit/dns_dhcp.php Quote
digininja Posted May 9, 2010 Author Posted May 9, 2010 Weird, why didn't my last post show up when I searched a minute ago, oh well, you got the post twice! It isn't likely to be hitting the Metasploit SVN any time soon due to license issues with the dhcp module I used, GPLv3 is incompatible with BSD Quote
joker Posted May 12, 2010 Posted May 12, 2010 [*] WARNING! The following modules could not be loaded! /pentest/exploits/framework3/modules/auxiliary/digininja/dhcp_exhaustion /exhaust.rb: /pentest/exploits/framework3/modules/auxiliary/digininja/dhcp_exhau stion/exhaust.rb: MissingSourceFile /usr/lib/ruby/1.8/rubygems/custom_require.rb :27:in `gem_original_require': no such file to load -- lib/dhcp o 8 o o 8 8 8 ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P 8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8 8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8 8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8 ..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..: ::::::::::::::::::::::::::::::::::8::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: =[ metasploit v3.4.0-dev [core:3.4 api:1.0] + -- --=[ 550 exploits - 263 auxiliary + -- --=[ 208 payloads - 23 encoders - 8 nops =[ svn r9286 updated today (2010.05.11) Quote
petros429 Posted May 28, 2010 Posted May 28, 2010 Hi - I have been using/testing your dhcp exploit and was running into a snag that I hope you could help with. At the end of the module exhausting the ip addresses I never get a timeout/you win message. Am I missing something in the configuration? As extra info I am running this module in BT4 and tested this against a win2k3 server and a linux server with the same results. All three operating systems are within a vmware environment. Quote
c0cac00l Posted June 4, 2010 Posted June 4, 2010 I'm having some problems, could you help me please ? [*] The Pcaprub module is not available: no such file to load -- pcaprub [*] Error: Pcaprub not available (eval):185:in `run' /opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:93:in `job_run_proc' /opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:73:in `run_simple' /opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:82:in `run_simple' /opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/auxiliary.rb:143:in `cmd_run' /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send' /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `run_command' /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in `run_single' /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each' /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `run_single' /opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:144:in `run' ./msfconsole:92 I use ubuntu 10.04, with fluxbox. I don't know why this keep doing errors. Quote
digininja Posted June 4, 2010 Author Posted June 4, 2010 Exactly as the error message says [*] Error: Pcaprub not available You need to install pcaprub from the externals directory. Quote
c0cac00l Posted June 5, 2010 Posted June 5, 2010 Exactly as the error message says [*] Error: Pcaprub not available You need to install pcaprub from the externals directory. It's working perfectly!!!! Thanks a lot !!!!! you are awesome! Quote
c0cac00l Posted June 5, 2010 Posted June 5, 2010 Just one more question Is this normal ? -------------------- nil opt_class please further investigate!! 66 -------------------- / Quote
digininja Posted June 5, 2010 Author Posted June 5, 2010 I've just had a dig through the DHCP library I'm using and it looks like all it is is that your DHCP server is sending a field type it doesn't know about. The DHCP server can send all sorts of information on top of the IP address such as NTP server and things like that. These all have an id. 66 is one that the library doesn't understand. This isn't a problem and won't affect anything. If you want to hide these messages then add $DHCP_UNKNOWN => Option, to line 565 of lib/dhcp/dhcp/options.rb and $DHCP_UNKNOWN= 0x66 to line 140 of constants.rb in same directory I can't test it but that should fix it. If not try changing the 0x66 to just 66. Quote
digininja Posted June 5, 2010 Author Posted June 5, 2010 For DHCP it depends on what attack you are performing. If all you want to do is a denial of service then you don't need your own server, if you want to man-in-the-middle then yes, set up your own. dhcpd is a good package, the config file is fairly simple to create. For DNS you just point it at any existing DNS server, the original one is best, then just replace any requests you want with your own. Quote
c0cac00l Posted June 5, 2010 Posted June 5, 2010 men, something is not right, i try to attack and it is not working.. msf auxiliary(exhaust) > run [*] DHCP attack started [*] Timeout waiting for OFFER [*] Got a timeout, assuming DHCP exhausted. You Win [*] Finished [*] Auxiliary module execution completed Is this normal ? i'm not using eth0, i'm using wi-fi Quote
digininja Posted June 5, 2010 Author Posted June 5, 2010 men, something is not right, i try to attack and it is not working.. msf auxiliary(exhaust) > run [*] DHCP attack started [*] Timeout waiting for OFFER [*] Got a timeout, assuming DHCP exhausted. You Win [*] Finished [*] Auxiliary module execution completed Is this normal ? i'm not using eth0, i'm using wi-fi Simple question, are there any DHCP leases left on your DHCP server? If there aren't then there is something wrong. Quote
digininja Posted June 5, 2010 Author Posted June 5, 2010 @c0cac00l.. Are you sure that you are hitting the DHCP server and not a random address.. Use "Show Options" to check what its directed to by default (255.255.255.255) To find out ur DHCP server.. whip open a command prompt.. do an IPCONFG.. and its your Subnet Mask .. Mines (255.255.255.0) Or in linux... google it ;) The peerhost (or whatever it was called at the time) is gone, it was only there as a hang over from the module that mine is inherited from. Grab the latest version from my site if you are still on an old version. Your DHCP server is not your subnet mask. Your subnet mask defines the range of your network IP. On most home networks the DHCP server is the modem/router on corporate networks it could be a router, a domain controller or any other machine given the task. Quote
mux Posted June 5, 2010 Posted June 5, 2010 To find out ur DHCP server.. whip open a command prompt.. do an IPCONFG.. and its your Subnet Mask .. Mines (255.255.255.0) What? Your subnet mask is your subnet mask, not your DHCP server. All your subnet mask does is essentially tell you the maximum amount of host IPs possible on your specific network. ie; 255.255.255.0 (/24) tells me that a maximum of 254 host IPs are possible on your network. That does not, however, mean that there is a minimum of 254 host IP addresses usable by the DHCP pool on your /24 network. The DHCP server determines your IP pool range in it's config file (Usually). Quote
c0cac00l Posted July 15, 2010 Posted July 15, 2010 I have a little question, is this attack only work on local ? like with router, or can it be possible to do with the ISP ? Like an external attack. Quote
digininja Posted July 16, 2010 Author Posted July 16, 2010 DCHP requests don't go across subnets so won't go through a router. If you just have a modem connecting your PC to the ISP network then you would be on the same subnet (The modem has to be to get its DHCP address) so you could try the attack however I expect in most cases it would fail as the ISP ties access to its network down to MAC addresses and the fake MAC addresses created by the app won't be allowed on so it won't work. Quote
knives Posted November 19, 2010 Posted November 19, 2010 It's working perfectly!!!! Thanks a lot !!!!! you are awesome! i checked my externals/pcaprub folder and files does exists but still showing me that error Quote
digininja Posted November 19, 2010 Author Posted November 19, 2010 did you install pcaprub? You don't have to just have it you have to install it as well Quote
taoist_jeff Posted February 26, 2011 Posted February 26, 2011 Wow this thread seems to be long enough, but I thought this might be the best place for this question. I'm trying to figure out how to run the DHCP Exhaustion module over my wireless card. When the module is loaded and wlan0 is associated with no current DHCP lease, I get "Error: The host (255.255.255.255:67) was unreachable". After I obtain a lease, the module seems to hang indefinitely and nothing appears to happen (no output is displayed). I figured that this was because my card was not running in promiscuous mode, and can't hear any responses assigned to other MAC addresses, but it seems like it should still time out. Anyway, I tried putting my card in monitor mode, but then I get "Error: wlan0 has no ipv4 address". Oddly enough, after running in that configuration, backtrack (4r2) seems to crash. I can't switch to another terminal and I get no response from key strokes (except alt-ctrl-del). I've also tried running the card in managed mode but I get the same error about 255.255.255.255 being unreachable. I'm using an Acer Aspire One Netbook with an Atheros AR5001 Wireless Network Adapter (rev 01) Aircrack reports injection works just fine, in case that's an issue. Any help would be much appreciated. Quote
digininja Posted February 27, 2011 Author Posted February 27, 2011 There is a difference between monitor mode and promiscuous mode, you need promiscuous mode for this to work. Iron Geek did some research on wifi cards that would do promiscuous mode about 6 months ago if you need a list of which can do it. Quote
taoist_jeff Posted February 27, 2011 Posted February 27, 2011 Ahh, many thanks! I was operating under the assumption that monitor mode was the equivalent of promiscuous for wireless cards. This was because while "ifconfig wlan0 -promisc" didn't return an error, it also didn't add any new status to wlan0 when listing the interface with plain ol' "ifconfig". Looks like I'm going to see if there is an updated driver or go shopping for a usb card. Thanks again for clearing up that road block. Quote
nemes Posted June 19, 2011 Posted June 19, 2011 mmh i'm still kinda stuck after reading this thread :/ this warning keeps popping up after i fire up my msfconsole [-] WARNING! The following modules could not be loaded! [-] /opt/framework-3.7.1/msf3/modules/auxiliary/digininja/dhcp_exhaustion/exhaust.rb: MissingSourceFile no such file to load -- lib/dhcp yes i'm using the latest ruby build and the latest metasploit (v3.8.0-dev) and yes i extracted in the right folders sudo tar -C /opt/framework-3.7.1/msf3/ -xf msf_dhcp_dns_1.0.tar.bz2 could anyone please assist me with this problem? Quote
nemes Posted July 12, 2011 Posted July 12, 2011 fixed my problem after changing exhaust.rb require 'msf/core' require 'dhcp' Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.