DHCP rouge reasarch

[8200]

hi
i do dhcp starvation + dhcp rouge attack , but i have a problem wih already conected clients (sometime the leas can be for a few days...)

i try to make already connected clients to resend discovery request (befor the leas due) so i can cach them with my rouge dhcp server
i tried so far:
1 replay with NAK on INFORM -> didnt work
2 replay with ACK with a different leas inside onINFORM -> didnt work
3 send RELEASE on the name of the victim and than start starvation and get his ip
sending garp to aaunce on the dupicate in a loop -> didnt work
4 make attacker with static ip that duplicate with the ip of my victim -> didnt work


i realy need help on this , no matter how the only rule is that i dont have phisical access to cable or to router

[proxx]

Did you read this:
http://www.ietf.org/rfc/rfc3203.txt
Pretty sure you can mimic those packets and spoof their source.
Try Scapy to craft the packets.

Also this might be really nasty but could work, just thought of it now.
You could try to mimic a NTP server, spoof DNS on the network (who cares just spoof all known public NTPd's) , make the clients connect to your NTPD, set the time beyond the expire time of the DHCP lease and force them to re-lease, assuming you would have flooded the pool by now there won't be anything to offer, just a thought.
You can use ARP spoofing as a step-up for the DNS spoof.

Or you could try to blow up the switch thus disconnecting the link and forcing the clients to reobtain an address, again after you exhausted the pool.
Some switches will die on certain ST traffic , look for known exploits etc.


Also work on the layout, this is total shit.

[8200]

thank you for the qyick enswer


regarding to option a , in order to support dhcp forcerenew massage the protocol implementation nust implement dhcp auth , the problem is that windows dhcp client and erver does not have dhcp auth support.


regarding to c , i try this , its dont work so good , not alwise you know the type of the swich , and even if you know not alwise you can exploit him


regarding to b , this is very intresting idea and i will try this , you are very clever
but i wander
how often computer send ntp request? (or are there any way for me to force him geting ntp from me )


and please if you have more ideas please write it here ,and again thank you


Fix the horrible text formatting , Captial letters, spelling etc. you can edit the post, consider this to be the last warning.
Make sure you fix the first post as well

[proxx]

How often computer send ntp request? (or are there any way for me to force him geting ntp from me )

Hmm I looked it up (so should you) and it appears these expire times are quite long.
Windows domain systems default ~ 1 hour, standalone windows machine roughly a week.
For a domain this would be viable.
Come to think of it , this is an excellent way of messing up a whole bunch of systems in the same network, DNS is often overlooked and ignored basically.
Tell me how many here use SSL for their NTP client?? no ? , figured.

Another option is to force them off the network which is probably more practical.
Again ARP can assist you in doing such a thing but I would assume this is cheating since you want to exploit the DHCP protocol in some way.
However if the approach is meant to be practical I would suggest null routing their traffic by altering the ARP tables of the clients.
The person on the client will be disconnected and will probably attempt to reconnect and will obtain a DHCP addr from the roque client.
It is quite intrusive though.

Let me give this some thought, a more network style approach would be far more elegant.

[8200]

Thank you very much i realy looking forword to read your network ideas, they are very criative .
I read abaut NTP in google (rfc,wikipedia,forums) and i didnt found a place that talks abaut how often NTP request are sent
so i start resarch on my computer and i found out that it is (in my computers at work and probevly most computers)not set by default , wich mean that it is a possible solution but i can use it only in cartain cases
]anyhow , its an extremly good creative idea that can "handle" a wide range of security checks that using time (like kerberos)
abaut the arp , did you ment to do arp poissoning without ip forwording (and by this making an dos attack )?
I do not care if the solution will bee throgh DHCP or other protrcol ,the only thing its, i need it fully automatic , so regardles to what victim do , his computer will ask for new ip
not somthing that rely on it that victim shuld do restart or something like this (like make router shutdown, dos attack etc. ) 

edit:
i traied the ntp spoof attack , its not work , even when i change the time on the victim , he does not ask for a new ip , maybe he check the time with some timer or something alse ...