4/23/2018 Understanding Cisco Cybersecurity Fundamentals

2.2 Understanding the Network Infrastructure

Analyzing DHCP Operations

Open Transcript

Various attacks are emerging that target the Dynamic Host Configuration Protocol or DHCP. In any organization with
multiple DHCP clients, DHCP server availability is critical. It is important for security analysts to understand the DHCP
messages that are exchanged between the DHCP server and the DHCP client, in order to effectively monitor, troubleshoot,
and mitigate DHCP-based attacks. Moreover, when analyzing logs, identifying or correlating attack-related issues is easier
for the security analyst who has a solid understanding of DHCP and how it functions.

In large environments, manual address assignment can become an excessive administrative problem, especially for mobile
devices that roam from one network to another many times each day. DHCP is a standardized network protocol for
dynamically distributing IP addresses automatically, and setting other network configuration parameters, such as the subnet
mask, default router, and DNS servers. With DHCP, computers request IP addresses and networking parameters
automatically from a DHCP server, reducing the need for network administrators or users to manually configure these
settings.

In an enterprise environment, a DHCP server is usually a dedicated device; in smaller deployments or some branch offices,
it can be configured on DHCP-capable switches or routers.

DHCP employs a connectionless service model using UDP, and is implemented using the same two UDP port numbers as
BOOTP. In fact, DHCP is implemented as an option of BOOTP and uses BOOTP as its transport protocol. UDP port
number 67 is the destination port of a DHCP server, and UDP port number 68 is used by the DHCP client.

26%

Initializing...
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/2 1/7
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Initializing...

Some of the most common messages that are exchanged between the DHCP server and the client are as follows:

• DHCPDISCOVER

• DHCPOFFER

• DHCPREQUEST

• DHCPACK

When a computer or other networked device connects to a network, the DHCP client software sends out a
DHCPDISCOVER message on its local physical subnet over UDP port 67, which is a broadcast message to locate available
servers.

When a DHCP server receives a DHCPDISCOVER message from a client, which is an IP address lease request, the server
reserves an IP address for the client and makes a lease offer by sending a DHCPOFFER message to the client on UDP
port 68. This message contains the client's MAC address, the IP address that the server is offering, the subnet mask, the
lease duration, and the IP address of the DHCP server that is making the offer. The offer from the DHCP server is not a
guarantee that the IP address will be allocated to the client; however, the server usually reserves the address until the client
has had a chance to formally request the address.

After the client receives a DHCPOFFER, it responds with a DHCPREQUEST message, indicating its intent to accept the
parameters in the DHCPOFFER. A client can receive DHCP offers from multiple servers, but it will accept only one DHCP
offer.

When the DHCP server receives the DHCPREQUEST message from the client, the configuration process enters its final
phase. The acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease
duration and any other configuration information that the client might have requested. At this point, the IP configuration
process is completed.

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/2 2/7
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Note

As indicated in the figure above, DHCPOFFER and DHCPACK messages are sometimes sent as broadcasts instead
of unicasts. For details, refer to RFC 2131, Dynamic Host Configuration Protocol.

The lease mechanism ensures that hosts that have been moved or are switched off for extended periods do not keep
addresses that they do not use. The addresses are returned to the address pool by the DHCP server, to be reallocated as
necessary.

In addition to the four most common DHCP messages, you might also see other DHCP messages in packet captures as
follows:

• DHCPNAK: A DHCPNAK is a negative acknowledgment from the DHCP server. For example, the server sends
DHCPNAK if the client requests an address that is already in use by another client.

• DHCPDECLINE: If the DHCP client determines the offered configuration parameters are invalid, it sends a
DHCPDECLINE packet to the server, and the client must begin the lease process again.

• DHCPRELEASE: After the client is ready to give up the DHCP IP address, it sends a DHCPRELEASE message.

• DHCPINFORM: A DHCP client that already has an IP address can use DHCPINFORM message to request more
information from the server. For example, browsers use DHCP Inform to obtain web proxy settings.

DHCP Relay Agent

The DHCP server does not have to reside directly on the same subnet where the DHCP client resides. Moreover, it’s
impractical to have a DHCP server on every subnet. Most enterprise networks will have a few centralized DHCP servers.
The DHCP relay agent acts as an intermediary and ensures that local DHCP client requests are passed onto centralized
DHCP servers. Any Layer 3 capable devices such as routers or switches can function as the DHCP relay agent.

The primary function of a DHCP relay agent is to forward DHCP messages from the local clients to the remote DHCP
server.

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/2 3/7
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

When a DHCP relay agent receives a broadcast packet from a connected client, it examines the giaddr field. If the field has
an IP address of 0.0.0.0, then the DHCP relay agent changes the giaddr field in DHCP packets from zero to the relay agent
IP address and forwards the message to the remote subnet where the DHCP server is located.

The DHCP server uses this IP address to select an IP address pool from which to assign the IP addresses to the DHCP
client.

The return packets from the DHCP server are directly sent to the relay agent identified in the giaddr field. The DHCP relay
agent forwards or relays the reply to the DHCP client.

Capturing DHCP Examples

If you want to monitor DHCP communication between a DHCP server and a client, you can run a packet sniffing tool, such
as tcpdump or dhcpdump, on the same local network and capture DHCP traffic. You can also run debug commands on
Cisco IOS routers and switches if they are acting as DHCP servers or relay agents to view DHCP traffic going to or
transiting these devices.

Below is a sample tcpdump output from a Linux machine. The tcpdump capture shows renewals. Typically a client sends a
REQUEST when the lease lifetime is 50% used up, and an ACK from the server resets the lifetime back to its full value.

admin@pc:~$ sudo tcpdump -i eth0 port 67 or port 68 -e -n

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

15:40:44.336909 00:0c:29:1b:a3:84 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 34

15:40:44.337311 00:50:56:fd:83:cd > 00:0c:29:1b:a3:84, ethertype IPv4 (0x0800), length 34
16:01:58.549937 00:0c:29:1b:a3:84 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 36
16:01:58.551804 00:50:56:fd:83:cd > 00:0c:29:1b:a3:84, ethertype IPv4 (0x0800), length 34

Packet sniffing is enabled on the port 67 (DHCP server port) and port 68 (DHCP client port). The –e parameter instructs
the command to display the source and the destination MAC addresses. The –n parameter instructs the command not to
convert the addresses to names. The –i parameter instructs the command to listen on the particular interface. Here, eth0
is the name of the interface.

In the above tcpdump output, locate the DHCP request and the reply messages between the client and the server. Finally,
the client with the mac-address of 00:0c:29:1b:a3:84 is assigned with the IP address of 192.168.198.1 by the DHCP server
at 192.168.198.254. This output will be useful to quickly analyze the basic communications between the DHCP server and
the client.

For in-depth analysis of the DHCP packets, use the dhcpdump tool. The following is a sample dhcpdump output from the
Linux machine on the eth0 interface.

admin@pc:~$ sudo dhcpdump -i eth0

<output omitted>

TIME: 2016-07-22 18:03:26.783

IP: 192.168.198.254 (0:50:56:fd:83:cd) > 192.168.198.128 (0:c:29:lb:a3:84)
OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/2 4/7
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

XID: 98bd7222
SECS: 0
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 192.168.198.128
SIADDR: 192.168.198.254
GIADDR: 0.0.0.0
CHADDR: 00:0c:29:lb:a3:84:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 5 (DHCPACK)
OPTION: 54 ( 4) Server identifier 192.168.198.254
OPTION: 51 ( 4) IP address leasetime 1800 (30m)
OPTION: 1 ( 4) Subnet mask 255.255.255.0
OPTION: 28 ( 4) Broadcast address 192.168.198.255
OPTION: 3 ( 4) Routers 192.168.198.2
OPTION: 15 ( 11) Domainname localdomain
OPTION: 6 ( 4) DNS server 192.168.198.2
OPTION: 44 ( 4) NetBIOS name server 192.168.198.2
<output omitted>

This output is more detailed than the tcpdump output. The YIADDR field is populated with the IP address of the client, and
SIADDR field is populated with the IP address of the server. Notice the multiple options field in this output; multiple options
were not available in the tcpdump output. For example, Option 53 tells the DHCP message type. The message type in this
output is DHCPACK message. The DHCP client lease time in the Option 51 can also be seen.

The IP address, subnet mask, default gateway, and the DNS server are the minimal configuration parameters that are
required for the DHCP client to get online. In addition to that, DHCP server provides the DNS domain name, NETBIOS
name servers, and so on, which can be seen in the Options section of this output.

Apart from the configuration parameters that are mentioned in this output, DHCP server has the flexibility to provide other
configuration parameters as well. For example, LWAP can use the information that is provided in the Option 43 to join the
specific WLAN controllers. Similarly, IP phones and gateways can utilize the DHCP information that is provided in the
Option 150 to discover the TFTP server IP address for Image download. In this way, DHCP provides an expandable
framework so that vendors can implement dynamic configuration for their product services.

As an analyst examining the partially captured PCAP with the DHCP packets shown below, what suspicions should you
determine?

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/2 5/7
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

The above figure is an example of the result of using a tool that is called Yersinia to launch a DHCP attack against the
DHCP server. The Yersinia tool is capable of generating DHCP DISCOVER requests using spoofed MAC address at a rapid
rate to quickly exhaust the IP address pool on the DHCP server. All the DHCP clients of the victim network are starved of
the DHCP resource. The attacker can then set up a rogue DHCP server on the network and perform man-in-the-middle
attacks.

As shown in the Wireshark output above, a large amount of DHCP discover packets are being broadcasted out using
different spoofed MAC addresses. The DHCP server (192.168.200.1) then responded with the DHCP offer packets until all
the available IP addresses are exhausted.

Content Review Question

When using DHCP with LWAP devices, which one of the following is option 43 used for?

to identify the default gateway

to assign a fallback IP address

to supply the specific WLAN controllers IP address

to supply the specific NAME server IP address

Submit

Content Review Question

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/2 6/7
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

During the DHCP initializing state (when a client first boots up), which two DHCP messages are always sent as
broadcasts? (Choose two.)

DHCPOFFER

DHCPDISCOVER

DHCPREQUEST

DHCPACK

Submit

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/2 7/7