{'xhtml:p': 'An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.'}
Description
Attack Execution Flow
3
1
Step 1
Explore[Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.
Adversary observes LAN traffic for DHCP solicitations
AI Translation
[Determina il lease DHCP esistente] Un avversario osserva il traffico di rete e attende che un lease DHCP esistente scada su una macchina target nella LAN.
L'avversario osserva il traffico LAN per le solicitazioni DHCP
Attack Techniques
-
Adversary observes LAN traffic for DHCP solicitations
2
Step 2
Experiment[Capture the DHCP DISCOVER message] The adversary captures 'DISCOVER' messages and crafts 'OFFER' responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these 'DISCOVER' messages.
Adversary captures and responds to DHCP 'DISCOVER' messages tailored to the target subnet.
AI Translation
[Acquisizione del messaggio DHCP DISCOVER] L'attore malevolo cattura i messaggi "DISCOVER" e crea risposte "OFFER" per l'indirizzo MAC del target identificato. Il successo di questo attacco dipende dalla capacità di catturare e rispondere a questi messaggi "DISCOVER".
L'attore malevolo cattura e risponde ai messaggi DHCP "DISCOVER" adattati alla subnet di destinazione.
Attack Techniques
-
Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.
3
Step 3
Exploit[Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.
Adversary sends repeated DHCP 'REQUEST' messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.
AI Translation
[Compromise Network Access and Collect Network Activity] Un avversario si comporta con successo come un server DHCP fraudolento reindirizzando le richieste DHCP legittime verso se stesso.
L'avversario invia ripetutamente messaggi DHCP "REQUEST" per affittare rapidamente tutti gli indirizzi all’interno del pool DHCP della rete, costringendo le nuove richieste DHCP a essere gestite dal server DHCP fraudolento.
Attack Techniques
-
Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.
Mitigations
3
Design: Mac-Forced Forwarding
Implementation: Network-Based Intrusion Detection Systems
Implementation: Port Security And Dhcp Snooping
Consequences
Security Scopes Affected
Access Control
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Modify Data
Read Data
Resource Consumption
Relationships
Parent CAPECs
Related ATT&CK Techniques
1
T1557.003
DHCP Spoofing
Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a …
Resources Required
1
The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.