New to CAPEC? Start Here
Home > CAPEC List > CAPEC-697: DHCP Spoofing (Version 3.8)  

CAPEC-697: DHCP Spoofing

Attack Pattern ID: 697
Abstraction: Standard
Presentation Filter:
+ Description

An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.

+ Extended Description

DHCP is broadcast to the entire Local Area Network (LAN) and does not have any form of authentication by default. Therefore, it is susceptible to spoofing.

An adversary with access to the target LAN can receive DHCP messages; obtaining the topology information required to potentially manipulate other hosts' network configurations.

To improve the likelihood of the DHCP request being serviced by the Rogue server, an adversary can first starve the DHCP pool.

+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.194Fake the Source of Data
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.94Adversary in the Middle (AiTM)
CanPrecedeDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.158Sniffing Network Traffic
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Determine Exsisting DHCP lease: An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.

    Techniques
    Adversary observes LAN traffic for DHCP solicitations
Experiment
  1. Capture the DHCP DISCOVER message: The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages.

    Techniques
    Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.
Exploit
  1. Compromise Network Access and Collect Network Activity: An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.

    Techniques
    Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.
+ Prerequisites
The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.
+ Skills Required
[Level: Medium]
The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results.
+ Resources Required
The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Access Control
Read Data
Integrity
Access Control
Modify Data
Execute Unauthorized Commands
Availability
Resource Consumption
+ Mitigations
Design: MAC-Forced Forwarding
Implementation: Port Security and DHCP snooping
Implementation: Network-based Intrusion Detection Systems
+ Example Instances
In early 2019, Microsoft patched a critical vulnerability (CVE-2019-0547) in the Windows DHCP client which allowed remote code execution via crafted DHCP OFFER packets. [REF-739]
+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1557.003Adversary-in-the-Middle: DHCP Spoofing
+ References
[REF-737] Yuval Lazar. "DHCP Spoofing 101". Pentera. 2021-11-03. <https://pentera.io/blog/dhcp-spoofing-101>. URL validated: 2022-09-22.
[REF-738] T. Melsen, S. Blake and Ericsson. "DHCP Spoofing 101". The Internet Society. 2006-06. <https://www.rfc-editor.org/rfc/rfc4562.html>. URL validated: 2022-09-22.
[REF-739] Bosco Sebastian. "DHCP Spoofing 101". McAfee. 2019-08-02. <https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dhcp-client-remote-code-execution-vulnerability-demystified/>. URL validated: 2022-09-22.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 29, 2022