Sec601 Lab 10 – Attacks against DHCP and DNS

Aim: To investigate the effects of DHCP and DNS attacks by a “rogue” DHCP server to misconfigure DNS

settings on client machines, as a result of which the hacker can gain access to other services.

Main theme of exercises:

Set up the Scenario

Prepare the Attack

Fall for the Attack

Exercise 1: Setting up the Scenario

Aim: To set up the scenario on Server.

Method:

Define the DHCP scope of distributable ip addresses from the DHCP Server

Limit the Lease duration for DHCP clients

Limit the subnet delay

Result:

Started off by logging onto Server and opening DHCP via Server Manager. Then alt-clicking on the

Classroom scope node (server.classroom.local > IPv4 > Scope) and selecting Properties:

I then set the IP start and end addresses as follows:

And adjusted the lease time to 1 hour:

In the Advanced tab, I then set the Subnet Delay time to 100ms and clicked OK:

I then copied c:\GTSLABS\wwwroot to c:\inetpub:-

Exercise 2: Preparing the Attack

Aim: To connect to the website, create and modify a copy, and to redirect traffic using an open source

DHCP and DNS server to the new website.

Method:

Result:

Started by logging into ROGUE as Admin and browsing to c:\GTSLABS to create a subfolder called

‘website’. With this done, I then connected to Server using http://server.classroom.local. In the browser,

I clicked on the Tools icon and selected File, Save As. I set the “Save as type” to ‘Webpage, complete

(“*.htm, *.html) and saved the site in the c:\GTSLABS\website folder under the name ‘default.htm’.

The new ‘website’ folder:

http://server.classrom.local:

Where default.htm is saved:

I then opened default.htm in wordpad and changed the text in the <H1> tags to “The Book Company is

Awesome!!” (originally “The Book Company”) and saved it:

I then opened “Network and Sharing Center” and clicked on the Ethernet link:

Which opened:

After clicking the Properties button, selected IPv4 from the items list and clicked the Properties button:

Where I then set the ip address to 10.1.0.10/24 and the DNS to 10.1.0.1:

I then opened ‘Turn Windows Features on or off’, as before, and selected the ‘Internet Information

Services’ checkbox and install the feature:

After which I opened IIS:

And navigated to ROGUE (ROGUE Admin), Sites, Default Web Site and clicked the ‘Basic Settings’ link in

the action pane:

Which opened the ‘Edit Site’ dialog, where I browsed the physical path to c:\GTSLABS\website and

confirmed the new location by clicking OK:

I then navigated to c:\GTSLABS in file explorer and ran DualServerInstallerV7.12:

After completing the installation with default settings, I then copied the DualServer configuration

settings file from c:\GTSLABS to c:\DualServer, replacing the file already there:

I then opened the Services (start > type services > click ‘View local services’) andalt-clicked the ‘Dual

DHCP DNS Service’ and started it:

Exercise 3: Falling for the Attack

Aim: To check whether CLIENT has been caught by the Attack.

Method:

Check the IP address of CLIENT (expected range >= 10.1.0.128)

Result:

Started by logging into CLIENT as CLASSROOM\Administrator and opening the ‘Network and Sharing

Center’, where I checked the IP address (within the expected range):

This indicated that the new DHCP server was not having an effect, so I restarted the service:

After clicking the ‘restart’ link, I was warned about other services that needed restarting:

With the services restarted, I then re-checked the IP address and found it had been changed to an IP

outside the scope!! Indicating that the ‘rogue’ DHCP server was now in control:

And, crikey!! The website I now view when browsing to http://server.classroom.local is now the false

website we created earlier!!

Conclusion: I successfully setup a rogue DHCP and DNS server that fooled the CLIENT into thinking it was

looking at the real website on Server. A man-in-the-middle has been created.