According to cisco enterprise mobility, the clients are associated to Access Points using MAC address. So, can an attacker send various DHCPDISCOVER messages using spoofed random source MAC addresses in a wireless environment?
This is what making me confused. Actually it is possible in Wired LAN. However, when it comes to WLAN, the access points (AP) associate the devices with their MAC addresses. When the access point will see that the source MAC address is not associated to it, it will directly drop the packet. Thus, the DHCPDISCOVER message will never reach the DHCP server. I checked it on wireshark and this is what I am getting.
Another scenario is when the Ethernet source MAC address is the genuine one and the CHADDR mac is a random MAC for whom the IP address is required, the access point will allow the message to pass through it. So, it will reach to DHCP Server, Now DHCP Server will generate DHCPOFFER message with the destination MAC address extracted from the CHADDR field of DHCPDISCOVER message. When this message will reach to access point, it will now drop the OFFER message because dest. MAC address is not associated to AP. Thus, the attacker will not receive the DHCPOFFER message and the allocation process will not be completed. I have checked this also in wireshark and this was the result.
But still, according to literature survey, the attack is possible in WLAns.
I would be thankful if you have any idea about tool/tutorial that can be used for this. I have already tried Gobbler, Yersinia and dhcpig (on kali).
It's a co-incidence that I followed the same document of Cisco. In this document, whatever I told in the previous answer, you will find under the heading "effectiveness of port security in wireless networks. According to it, DHCP starvation is not possible in case of WLC even if port security is not configured because it matches the ethernet Mac address and the Mac present in chaddr.
What kind of network router are you using? Is there some kind of RADIUS service running already on it? It could be you have a patched system running (firmware) that protects your network from that kind of exploit.
>"DHCP Starvation in Unified Wireless Networks
>In a Unified Wireless deployment, the vulnerability to perform a DHCP starvation >attack depends on whether the WLC terminates the user traffic or an H-REAP AP >terminates the user traffic.
>Due to the 802.11 protocol definition, MAC address spoofing by wireless clients is >prevented through the 802.11 association process. This prevents clients from >spoofing the source address of the frame in addition to the DHCP client field in the >payload."
Cheers
http://revolutionwifi.blogspot.com/2011/03/preventing-dhcp-starvation-attacks.html
Sorry if my answer seems counter to exploiting the network its kind of the aspect of wireless network defence i'm 'obsessed' with. Keeping users safe on the network, maybe these folks here can help you better; http://revolutionwifi.blogspot.com/2011/03/preventing-dhcp-starvation-attacks.html
As mesh networks become more robust securing the network has been very important especially with high volume networks and networks used in public spaces.
If I may contribute in the subject matter, it is possible an intruder to launch DHCP attack in wireless network by using a software called YERSINIA- is a GNU/Linux framework that attackers used to analyze and test and launch a DHCP starvation attack by broadcasting vast number of DHCP requests with spoofed MAC addresses concurrently.
However, this attack can be mitigated as Nidhi suggested, furthermore, it can also mitigated by setting dhcp spooning on cisco switch.
Kind regards,
The problem is:
by broadcasting vast number of DHCP requests with spoofed MAC addresses concurrently, the attack will not work because access point will drop all those packets that come from random MAC addresses because they are not associated with the access point.
In wired networks, port security can prevent DHCP starvation attacks. However, if attacker change the MAC address in the DHCP payload (chaddr), port security can't prevent attack. In this case, administrator can slow down attack using a DHCP rate limiter on the switch port.
But in wireless networks, due to the 802.11 protocol definition, MAC address spoofing is prevented and this prevents clients from spoofing the source address of the frame in addition to the DHCP client field in the payload. The WLC (which terminates the user traffic) protects the network from DHCP starvation attacks because it tests DHCP requests to certify that the client MAC address matches the chaddr. If not, the DHCP request is dropped.
- Badges
- Science topic