1 00:00:00,430 --> 00:00:06,220 ‫In DHC spoofing attacks, the attacker places a rogue DHP server on the network. 2 00:00:07,360 --> 00:00:12,970 ‫There are two main features of the DHCP mechanism that emerges the DHP spoofing attack. 3 00:00:14,340 --> 00:00:19,530 ‫First, there's no authentication process and priority in the DHP mechanism. 4 00:00:20,600 --> 00:00:27,080 ‫Second, as clients are turned on and request an address, the server with a fastest response is used. 5 00:00:28,230 --> 00:00:34,080 ‫So if the device receives a response from the rogue server first, the rogue server can assign any address 6 00:00:34,080 --> 00:00:37,410 ‫as well as control which device it uses as a gateway. 7 00:00:38,800 --> 00:00:46,060 ‫So a well-designed attack can funnel traffic from local hosts to a rogue server that logs all the traffic 8 00:00:46,060 --> 00:00:54,370 ‫and then forwards that traffic out to the correct gateway to the device, and this action would be almost 9 00:00:54,370 --> 00:00:55,060 ‫transparent. 10 00:00:55,210 --> 00:00:55,540 ‫Right? 11 00:00:56,560 --> 00:01:00,250 ‫That's the attacker can steal information or pretty much invisibly. 12 00:01:00,700 --> 00:01:02,140 ‫How are you going to how are you going to find that? 13 00:01:03,160 --> 00:01:04,090 ‫That's why you're here. 14 00:01:05,100 --> 00:01:09,360 ‫Let me call you in on another important point while setting up a rogue DHCP server. 15 00:01:10,140 --> 00:01:16,950 ‫It's we cannot be so sure whether the client received the settings of the rogue server or the legitimate 16 00:01:16,950 --> 00:01:17,340 ‫server. 17 00:01:18,710 --> 00:01:24,230 ‫That's why it's way better to use the DHP spoofing attack with a DHP starvation attack. 18 00:01:24,660 --> 00:01:25,160 ‫All right. 19 00:01:25,730 --> 00:01:34,580 ‫In a DHP starvation attack, an attacker broadcast a large number of DHCP request messages with spoofed 20 00:01:34,610 --> 00:01:35,990 ‫source Mac addresses. 21 00:01:37,080 --> 00:01:43,980 ‫If the legitimate DHCP server in the network starts responding to all these bogus DHCP request messages, 22 00:01:44,340 --> 00:01:50,310 ‫available IP addresses in the server scope will be depleted within a very short span of time. 23 00:01:51,840 --> 00:01:59,190 ‫Now, once the available number of IP addresses in the DHC server is depleted, network attackers can 24 00:01:59,190 --> 00:02:08,670 ‫then set up a rogue DHP server and respond to new DHP requests from the Network DHP clients by setting 25 00:02:08,670 --> 00:02:10,470 ‫up a rogue DHCP server. 26 00:02:10,950 --> 00:02:15,990 ‫The attacker can now launch a whole DHCP spoofing attack. 27 00:02:17,790 --> 00:02:24,870 ‫So here is how we can perform a DHP spoof attack together with DHP starvation attack. 28 00:02:25,850 --> 00:02:31,940 ‫So we'll create a lot of DHP discovery packets to request new IP addresses from the DHP server. 29 00:02:32,820 --> 00:02:35,700 ‫DHCP server replies to these requests. 30 00:02:38,210 --> 00:02:39,830 ‫IP address space is limited. 31 00:02:40,800 --> 00:02:45,540 ‫For example, a Class C subnet has about 250 IP addresses available. 32 00:02:47,110 --> 00:02:54,310 ‫So since the IP addresses are used for fake Mac addresses, there aren't any more IP addresses for legitimate 33 00:02:54,310 --> 00:02:54,740 ‫clients. 34 00:02:56,490 --> 00:03:03,090 ‫DHP cannot respond to the new request and the clients which cannot have IP addresses, become out of 35 00:03:03,090 --> 00:03:03,480 ‫service. 36 00:03:04,570 --> 00:03:10,900 ‫So now will set up a rogue DHCP server, which is the only server to respond to the client's IP address 37 00:03:10,900 --> 00:03:11,950 ‫requests right now. 38 00:03:13,160 --> 00:03:19,880 ‫The Rogue DHP server starts distributing IP addresses and other TCP IP configuration settings to the 39 00:03:19,880 --> 00:03:21,470 ‫network DHP clients. 40 00:03:22,610 --> 00:03:28,490 ‫TCP IP configuration settings include default gateway and DNS server IP addresses. 41 00:03:30,400 --> 00:03:37,210 ‫So now we can replace the original legitimate default gateway IP address and DNS server IP address with 42 00:03:37,210 --> 00:03:39,160 ‫our own IP address. 43 00:03:42,510 --> 00:03:48,510 ‫Once the default Gateway IP address of the network devices are changed and that clients start sending 44 00:03:48,510 --> 00:03:52,050 ‫the traffic destined to outside networks to the attacker's computer. 45 00:03:53,030 --> 00:03:57,950 ‫The attacker can now captors sensitive user data and launch a man in the middle attack.