CAPEC-697 DHCP Spoofing

CAPEC ID: 697

CAPEC-697 Metadata

Likelihood of Attack

Low

Typical Severity

High

Overview

Summary

An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.

Prerequisites

The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.

Execution Flow

Step Phase Description Techniques
1 Explore [Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.
  • Adversary observes LAN traffic for DHCP solicitations
2 Experiment [Capture the DHCP DISCOVER message] The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages.
  • Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.
3 Exploit [Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.
  • Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.

Potential Solutions / Mitigations

Design: MAC-Forced Forwarding Implementation: Port Security and DHCP snooping Implementation: Network-based Intrusion Detection Systems

Related Weaknesses (CWE)

CWE ID Description
CWE-923 Improper Restriction of Communication Channel to Intended Endpoints

Related CAPECs

CAPEC ID Description
CAPEC-94 An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.
CAPEC-158 In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.
CAPEC-194 An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1557.003 Adversary-in-the-Middle: DHCP Spoofing

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.