1. (3 points) DHCP A”ack 1
Another type of a!ack that was not included in the workshop is DHCP (dynamic host conﬁgura”on protocol) based
a!acks. Do a bit of research into how DHCP works and about some DHCP a!acks and answer the following ques”ons.
1. What are the 4 packets (messages) that are communicated between the client seeking and IP address and the DHCP
2. Are the 4 messages Layer 2 unicast or broadcast (be careful not to confuse between Layer 3 broadcast, which is
sending to an IP broadcast address like 10.0.2.255, as opposed to Layer 2 broadcast which is sent to MAC address
3. Therefore, in a switched network, which of the 4 messages in the DHCP nego”a”on would the a!acker be able to
4. Brieﬂy explain what DHCP spooﬁng and DHCP starva”on a!acks are executed, and how the two can be used in
5. For an adversary looking to perform MITM, which DHCP conﬁgura”on op”on(s) would you try to manipulate?
6. Brieﬂy explain how “DHCP snooping” conﬁgura”on in a switch work to prevent DHCP spooﬁng?
2. (2 points) DHCP A”ack 2
1. In your VirtualBox, change the Network se#ng to Promiscuous Mode = Allow Any on both Kali and DSL.
2. Run Wireshark on Kali (on eth0) and restart DSL
3. Capture the 4x DHCP messages between DSL and DHCP server (10.0.2.3) on Wireshark and take a screenshot.
4. Repeat while simula”ng a switched network (set Promiscuous Mode = Deny) and capture the 2x DHCP messages.
You should not need to reboot Kali a$er changing the network se#ngs, but you do need to reboot DSL to refresh
** Due to the erroneous implementa!on of the virtual DHCP server, you will probably see 4 messages (same result as 2-3
above, instead of 2 that you are expec!ng. That’s OK — please state the results you get. This is op!onal ac!vity, but you
can try doing the experiment in your home network with Kali running in “bridged mode”. If your mobile phone is connected
to the same WiFi network, “forget” the connec!on and re-connect.
3. (3 points) DHCP A”ack 3
1. Keep Wireshark running on Kali.
2. Use E!ercap’s DHCP spooﬁng func”on to demonstrate how you can supply the vic”m (DSL) with a rogue DNS
server, to make it easy for the a!acker to spoof DNS replies. Try to perform DHCP spooﬁng to inject DNS server of
3. Reboot DSL and conﬁrm that DNS has been poisoned by looking at /etc/resolv.conf. Take a screenshot (do cat
4. Go to Wireshark, and iden”fy the REAL DHCP ACK (coming from the 10.0.2.3 MAC address) and FAKE DHCP ACK
(from the Kali MAC address) being sent to DSL. Take a screenshot.
本网站支持 Alipay WeChatPay PayPal等支付方式
E-mail: email@example.com 微信号:vipnxx