sec601 lab 10 attacks against dhcp and dns · sec601 lab 10 – attacks against dhcp and dns aim:...
TRANSCRIPT
Sec601 Lab 10 – Attacks against DHCP and DNS
Aim: To investigate the effects of DHCP and DNS attacks by a “rogue” DHCP server to misconfigure DNS
settings on client machines, as a result of which the hacker can gain access to other services.
Main theme of exercises:
Set up the Scenario
Prepare the Attack
Fall for the Attack
Exercise 1: Setting up the Scenario
Aim: To set up the scenario on Server.
Method:
Define the DHCP scope of distributable ip addresses from the DHCP Server
Limit the Lease duration for DHCP clients
Limit the subnet delay
Result:
Started off by logging onto Server and opening DHCP via Server Manager. Then alt-clicking on the
Classroom scope node (server.classroom.local > IPv4 > Scope) and selecting Properties:
I then set the IP start and end addresses as follows:
And adjusted the lease time to 1 hour:
In the Advanced tab, I then set the Subnet Delay time to 100ms and clicked OK:
I then copied c:\GTSLABS\wwwroot to c:\inetpub:-
Exercise 2: Preparing the Attack
Aim: To connect to the website, create and modify a copy, and to redirect traffic using an open source
DHCP and DNS server to the new website.
Method:
Result:
Started by logging into ROGUE as Admin and browsing to c:\GTSLABS to create a subfolder called
‘website’. With this done, I then connected to Server using http://server.classroom.local. In the browser,
I clicked on the Tools icon and selected File, Save As. I set the “Save as type” to ‘Webpage, complete
(“*.htm, *.html) and saved the site in the c:\GTSLABS\website folder under the name ‘default.htm’.
The new ‘website’ folder:
http://server.classrom.local:
Where default.htm is saved:
I then opened default.htm in wordpad and changed the text in the <H1> tags to “The Book Company is
Awesome!!” (originally “The Book Company”) and saved it:
I then opened “Network and Sharing Center” and clicked on the Ethernet link:
Which opened:
After clicking the Properties button, selected IPv4 from the items list and clicked the Properties button:
Where I then set the ip address to 10.1.0.10/24 and the DNS to 10.1.0.1:
I then opened ‘Turn Windows Features on or off’, as before, and selected the ‘Internet Information
Services’ checkbox and install the feature:
After which I opened IIS:
And navigated to ROGUE (ROGUE Admin), Sites, Default Web Site and clicked the ‘Basic Settings’ link in
the action pane:
Which opened the ‘Edit Site’ dialog, where I browsed the physical path to c:\GTSLABS\website and
confirmed the new location by clicking OK:
I then navigated to c:\GTSLABS in file explorer and ran DualServerInstallerV7.12:
After completing the installation with default settings, I then copied the DualServer configuration
settings file from c:\GTSLABS to c:\DualServer, replacing the file already there:
I then opened the Services (start > type services > click ‘View local services’) andalt-clicked the ‘Dual
DHCP DNS Service’ and started it:
Exercise 3: Falling for the Attack
Aim: To check whether CLIENT has been caught by the Attack.
Method:
Check the IP address of CLIENT (expected range >= 10.1.0.128)
Result:
Started by logging into CLIENT as CLASSROOM\Administrator and opening the ‘Network and Sharing
Center’, where I checked the IP address (within the expected range):
This indicated that the new DHCP server was not having an effect, so I restarted the service:
After clicking the ‘restart’ link, I was warned about other services that needed restarting:
With the services restarted, I then re-checked the IP address and found it had been changed to an IP
outside the scope!! Indicating that the ‘rogue’ DHCP server was now in control:
And, crikey!! The website I now view when browsing to http://server.classroom.local is now the false
website we created earlier!!
Conclusion: I successfully setup a rogue DHCP and DNS server that fooled the CLIENT into thinking it was
looking at the real website on Server. A man-in-the-middle has been created.