/dhcplayer

Play with DHCP

Primary LanguageRustGNU Affero General Public License v3.0AGPL-3.0

DHCPlayer

Moved to https://gitlab.com/Zer1t0/dhcplayer

Crates.io Language Rust

dhcplayer is a tool to perform several actions using the DHCP protocol, both as client or server. It allows you to perform simple DHCP requests but also perform some known attacks like DHCP starvation or setting a rogue DHCP server.

In order to run dhcplayer, you need root privileges to be able to create raw sockets.

Installation

To install:

$ cargo install dhcplayer

DHCP Server

You can create a DHCP server with the server command. In the server you can use the parameters to configure the following options:

  • Available IP Range
  • Broadcast Address
  • Network Mask
  • Router/Gateway IP (by default your IP)
  • DNS server IP(s) (by default your IP)
  • WPAD file (disabled by default)
  • NetBIOS/WINS name server (disabled by default)
$ sudo dhcplayer server -I eth0 -v --dns 192.168.122.5 --wpad http://wpadserver.local/wpad.dat --netbios 192.168.122.4 --start-ip 192.168.122.60 --end-ip 192.168.122.70
INFO - IP pool: 192.168.122.61-192.168.122.69
INFO - Mask: 255.255.255.0
INFO - Broadcast: 192.168.122.70
INFO - DHCP: 192.168.122.81
INFO - DNS: [192.168.122.5]
INFO - Router: [192.168.122.81]
INFO - Netbios: [192.168.122.4]
INFO - WPAD: http://wpadserver.local/wpad.dat
INFO - DISCOVER from 52:54:00:97:9a:b7
INFO - Offer 192.168.122.69
INFO - REQUEST from 52:54:00:97:9a:b7
INFO - Requested IP 192.168.122.69
INFO - ACK to 192.168.122.69 for 52:54:00:97:9a:b7

Starvation Attack

You can launch a DHCP Starvation attack against DHCP servers by using the starv command.

The starv command will request all the available IP addresses offered by the DHCP servers in the network. If you want to just target specific servers, you can use the servers parameter.

$ sudo dhcplayer starv -I eth0 --server 192.168.122.1
192.168.122.80 90:25:4f:b0:51:04
192.168.122.118 eb:a3:fd:f4:26:d5
192.168.122.134 c6:f3:bd:ae:d9:ae
...

To stop the attack you need to press Ctrl-C. When the attack is stopped, by default, all the acquired IPs will be released. In case you don't want to release them, you can use the -n/--no-release flag.

Discover

The discover command allows you to discover an request the IPs available from a DHCP server.

In the most basic use the command will request an IP from any DHCP server. If you want to request an specific server, you can use the server parameter.

$ sudo dhcplayer discover -I eth0
ACK received from 192.168.122.81
Acquired IP: 192.168.122.67
Client MAC: 52:54:00:97:9a:b7
Options:
[54] DHCP Server ID: 192.168.122.81
[51] IP Address Lease Time: 3600
[58] Renewal Time: 1800
[59] Rebinding Time: 3150
[1] Subnet Mask: 255.255.255.0
[28] Broadcast Address: 192.168.122.70
[3] Router: 192.168.122.81
[6] Domain Server: 192.168.122.5

Discover DHCP servers

Moreover, you can send DISCOVER messages without requesting the IP addresses. You can do this with the -n/--no-request flag. In that case, dhcplayer will listen for all the offers made by all the DHCP servers, if there are more than one in the network.

It can be useful to specify --options all to request all the information from a DHCP server.

$ sudo dhcplayer discover -I eth0 -n --options all

OFFER received from 192.168.122.1
Offered IP: 192.168.122.82
Client MAC: 52:54:00:97:9a:b7
DHCP Server: 192.168.122.1
Options:
[54] DHCP Server ID: 192.168.122.1
[51] IP Address Lease Time: 3600
[58] Renewal Time: 1800
[59] Rebinding Time: 3150
[1] Subnet Mask: 255.255.255.0
[28] Broadcast Address: 192.168.122.255
[3] Router: 192.168.122.1
[6] Domain Server: 192.168.122.1

DNS Dynamic Update

You can ask the DHCP server to create a new DNS A record with the --dns-update flag based on the hostname (-H/--hostname) or the FQDN (Fully Qualified Domain Name) (--fqdn). If you don't specify hostname nor FQDN, the DNS record will be deleted.

The server should return the server-update flag in Client FQDN (81) if the update was successful.

sudo dhcplayer discover -I eth2 --dns-update -H test # Update based on hostname
sudo dhcplayer discover -I eth2 --dns-update --fqdn test.contoso.local # Update based on fqdn
sudo dhcplayer discover -I eth2 --dns-update # Delete DNS record
$ sudo dhcplayer discover -I eth2 --dns-update -H test
ACK received from 0.0.0.0
Acquired IP: 192.168.100.3
Client MAC: 52:54:00:88:80:0c
Options:
[58] Renewal Time: 345600
[59] Rebinding Time: 604800
[51] IP Address Lease Time: 691200
[54] DHCP Server ID: 192.168.100.2
[1] Subnet Mask: 255.255.255.0
[81] Client FQDN: flags: 0x1 (server-update) A-result: 255 PTR-result: 0 
[3] Router: 192.168.100.2
[15] Domain Name: contoso.local
[6] Domain Server: 192.168.100.2

$ nslookup test.contoso.local 192.168.100.2
Server:		192.168.100.2
Address:	192.168.100.2#53

Name:	test.contoso.local
Address: 192.168.100.3

$ sudo dhcplayer discover -I eth2 --dns-update
ACK received from 0.0.0.0
Acquired IP: 192.168.100.3
Client MAC: 52:54:00:88:80:0c
Options:
[58] Renewal Time: 345600
[59] Rebinding Time: 604800
[51] IP Address Lease Time: 691200
[54] DHCP Server ID: 192.168.100.2
[1] Subnet Mask: 255.255.255.0
[81] Client FQDN: flags: 0x1 (server-update) A-result: 255 PTR-result: 0 
[3] Router: 192.168.100.2
[15] Domain Name: contoso.local
[6] Domain Server: 192.168.100.2

$ nslookup test.contoso.local 192.168.100.2
Server:		192.168.100.2
Address:	192.168.100.2#53

** server can't find test.contoso.local: NXDOMAIN

Inform

Additionally, you can send an INFORM petition instead of DISCOVER by using the -i/--inform flag of the discover command.

$ sudo dhcplayer discover -I eth0 -i --options wpad,dns --server 192.168.122.1 -v
INFO - INFORM sent - Client MAC 52:54:00:97:9a:b7

ACK received from 192.168.122.1
Acquired IP: 0.0.0.0
Client MAC: 52:54:00:97:9a:b7
Options:
[54] DHCP Server ID: 192.168.122.1
[1] Subnet Mask: 255.255.255.0
[28] Broadcast Address: 192.168.122.255
[6] Domain Server: 192.168.122.1

Release

You can use the release command to release IPs that were acquired by you or other peer. For this you need to specify the IP and the MAC address of the client you want to release.

You can specify the pairs IP/MAC with the format <ip>-<mac>. You can indicate the pairs in the command line, or pass them through a file or stdin.

$ sudo dhcplayer release -I eth2 --server 192.168.100.2 192.168.100.5-ca:2b:d1:21:17:86 192.168.100.7-fe:38:4e:46:95:d6 -v
INFO - RELEASE 192.168.100.5 ca:2b:d1:21:17:86
INFO - RELEASE 192.168.100.7 fe:38:4e:46:95:d6

You can also combine this command with an ARP scan to release the IPs of legit clients. The release clients probably continue using its IPs, but those are free to be assigned to other peer, which may cause some problems in the network.

$ sudo arplayer scan -I eth2 -w 10 | sudo dhcplayer release -I eth2 --server 192.168.100.2 -v
INFO - RELEASE 192.168.100.1 52:54:00:5b:49:5d
INFO - RELEASE 192.168.100.2 52:54:00:0b:75:57
INFO - RELEASE 192.168.100.7 52:54:00:a4:8c:f2
INFO - RELEASE 192.168.100.5 52:54:00:76:87:bb

Disclaimer

Please, don't use this tool for bad things. I won't assume any responsibility for your actions with this tool.