kerpap Posted March 12, 2014 Share Posted March 12, 2014 lets say the environment you are in uses a DHCP server with a very short lease time. can metasploit payloads (for instance reverse_tcp meterpreter) be set with an LHOST=255.255.255.255 or the subnet broadcast address (i.e. LHOST=192.168.1.255) how would someone get around a short lease time with DHCP? I am going to lab this however I am just wondering off hand if anyone knows? the idea in this case is that the reverse shell connects to anyone listening. I am of course not referring to that specific payload. just in general. if my payload is set with LHOST=192.168.1.10 and when the payload gets executed, my address has already changed to 192.168.1.19 the connection wont go through. Quote Link to comment Share on other sites More sharing options...
GuardMoony Posted March 12, 2014 Share Posted March 12, 2014 (edited) First of all. A short leastime does not mean your pc will get a new ip every time the lease time is over. DHCP in short: 1) Client connects on the network. 2) Client sends a request for network settings. ( dhcp request ) broadcast 3) dhcp server offers 4 times the same settings ( dhcp offer ) 4) Client accepts the offer and start using it( dhcp ack ) 5) Server locks the ip/mac till releasetime Now the dhcp settings offert by the server is not only the usual stuff: ip/mask/router/dns Its also release time AND renew time. The renew time should always be lower then the release time. When the client reaches the renew time, it will send a new request to the server but this time it will be a DHCP inform request. Asking the server to extend the release time for this address. So basicly as long as your device is online and got a connection towards the dhcp server it should not change ip. But the safest way: Set your device as a static ip on the network ! As of using broadcast addresses for your exploit. If could work but defiantly isn't stealthy and i think a lot of AV/firewall programs will not like it Edited March 12, 2014 by GuardMoony Quote Link to comment Share on other sites More sharing options...
kerpap Posted March 13, 2014 Author Share Posted March 13, 2014 I was really using the DHCP server as an example to help explain. I am just wondering if you can use broadcast addresses without being asked "Why" and having to explain. thanks for the feedback! I am going to try it out in a lab. I can see how it might be useful in some scenarios. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.