搭建DHCP服务器测试欺骗

准备两台虚拟机,操作系统debian7

一台搭建好DHCP服务器,作为伪装的dhcp server;另一台作为client端,请求dhcp分配IP地址
正常环境下,虚假的DHCP服务器会给client虚拟机分配IP地址,达到欺诈的目的

 

前提条件,必须查询到CIDR,range IP地址,掩码,DNS服务器等信息,为下面搭建DHCP服务器做准备

开始测试
首先是伪装DHCP的虚拟机
VM1:IP地址为10.180.163.200/28
在这台虚拟机上搭建DHCP服务器
安装:

apt-get install isc-dhcp-server

配置DHCP信息:

subnet 10.180.163.192 netmask 255.255.255.240 {
    INTERFACES="eth1";
    range 10.180.163.201 10.180.163.203;
    option domain-name-servers 10.180.156.5;
    option routers 10.180.160.1;
    option subnet-mask 255.255.255.240;
    option broadcast-address 10.180.163.255;
}

其中:
INTERFACES:网卡
range:虚假DHCP服务器准备给client端分配的IP地址范围
domain-name-servers:DNS服务器
routers:网关
subnet-mask:掩码
broadcast-address:广播地址

重启服务

service isc-dhcp-server restart

查下状态

# service isc-dhcp-server status
Status of ISC DHCP server: dhcpd is running.

这样一台伪装的DHCP服务器就搭建好了

然后就是准备发送dhcp请求的虚拟机
VM2:IP地址为10.180.163.199/28

根据VM1搭建的DHCP分配的IP范围可以看到,VM2会被分配的IP为201~203
但是需要注意的一点,我们创建的虚拟机的某些信息已经被记录了下来了
VM2:

# cat /var/lib/dhcp/dhclient.eth1.leases
lease {
  interface "eth1";
  fixed-address 10.180.163.199;
  option subnet-mask 255.255.255.240;
  option dhcp-lease-time 86400;
  option dhcp-message-type 5;
  option dhcp-server-identifier 10.180.163.196;
  option domain-search ;
  option dhcp-renewal-time 43200;
  option rfc3442-classless-static-routes 22,10,180,160,0,0,0,0,8,10,10,180,160,1,23,10,180,10,10,180,160,1,23,10,180,8,10,180,160,1,12,172,16,10,180,160,1,16,192,168,10,180,160,1;
  option broadcast-address 10.180.163.207;
  option dhcp-rebinding-time 75600;
  option host-name "host-10-180-163-199";
  renew 4 2015/10/15 19:53:11;
  rebind 5 2015/10/16 07:41:12;
  expire 5 2015/10/16 10:41:12;
}

可以看到,记录的就是创建虚拟机,网络真实分配的IP地址199
因此假如想要发送dhclient请求,首先要清空这个文件

echo '' > /var/lib/dhcp/dhclient.eth1.leases

之后清空网卡eth1的IP地址

ifconfig eth1 0

最后VM2发送dhcp请求

dhclient -v eth1 -lf /var/lib/dhcp/dhclient.eth1.leases

写成一个shell脚本

#!/bin/bash

NIC=$1

echo '' > /var/lib/dhcp/dhclient.$NIC.leases
ifconfig $NIC 0
dhclient -v $NIC -lf /var/lib/dhcp/dhclient.$NIC.leases

参数带eth1来执行,写成一个脚本的原因是,这种测试场景下,并不是每次虚假DHCP服务器(VM1)都能够完成给VM2分配201~203的IP地址,而正常情况下,dhcp请求的主机会根据DHCP响应的先后来分配IP地址,确切地说,是根据成功分配IP地址的先后来完成分配,也就是说,如果是真实DHCP服务器先响应完全分配了199,那么虚假DHCP分配的201~203就没法完成;只有当虚假DHCP先完全完成分配IP地址,VM2才能真正地被欺骗

下面是通过抓包来进行分析,用到的抓包工具是wireshark的命令行工具tshark
VM2:发送dhcp请求

# dhclient -v eth1 -lf /var/lib/dhcp/dhclient.eth1.leases
Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/ 
Listening on LPF/eth1/fa:16:3e:ab:1d:c3
Sending on   LPF/eth1/fa:16:3e:ab:1d:c3
Sending on   Socket/fallback
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 5
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPOFFER from 10.180.163.196
DHCPACK from 10.180.163.196
bound to 10.180.163.199 -- renewal in 34476 seconds.

看上去好像分配的还是199,没有被欺骗的样子

VM1:虚假DHCP服务器,能够收到请求

tshark -i eth1 -R "udp.port == 67"
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
117.261618      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0xd8b82b19
117.262926      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Request  - Transaction ID 0xd8b82b19

VM1:请求主机

~# tshark -i eth1 -R "udp.port == 67"
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
 36.233466      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0xd8b82b19
 36.234861 10.180.163.196 -> 10.180.163.199 DHCP 370 DHCP Offer    - Transaction ID 0xd8b82b19
 36.234957 10.180.163.195 -> 10.180.163.199 DHCP 370 DHCP Offer    - Transaction ID 0xd8b82b19
 36.235035      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Request  - Transaction ID 0xd8b82b19
 36.235537 10.180.163.196 -> 10.180.163.199 DHCP 391 DHCP ACK      - Transaction ID 0xd8b82b19

的确看到了ACK,但是这个ACK是从真实的DHCP服务器196来的,而不是我自己搭的虚假DHCP服务器199

这时候就多发送几次请求,因为我们测试的目的就是要达到欺骗的目的,让虚假DHCP服务器VM2欺骗主机VM1

VM2:继续发请求,看上去成功了

~# ./dhclient.sh eth1
Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/ 
Listening on LPF/eth1/fa:16:3e:ab:1d:c3
Sending on   LPF/eth1/fa:16:3e:ab:1d:c3
Sending on   Socket/fallback
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 7
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPOFFER from 10.180.163.200
DHCPACK from 10.180.163.200
bound to 10.180.163.203 -- renewal in 242 seconds.

根据信息可以看到,收到了来自200的ACK,分配了203IP地址

VM2:查看dhcp包得情况

~# tshark -i eth1 -R "udp.port == 67"
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
  6.987536      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0x97a3b630
  6.987813 10.180.163.200 -> 10.180.163.203 DHCP 342 DHCP Offer    - Transaction ID 0x97a3b630
  6.988263      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Request  - Transaction ID 0x97a3b630
  6.989307 10.180.163.200 -> 10.180.163.203 DHCP 342 DHCP ACK      - Transaction ID 0x97a3b630

可以看到discover,offer,request和ack

VM1:查看client主机

~# tshark -i eth1 -R "udp.port == 67"
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
  9.471834      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0x97a3b630
  9.472527 10.180.163.200 -> 10.180.163.203 DHCP 342 DHCP Offer    - Transaction ID 0x97a3b630
  9.472750      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Request  - Transaction ID 0x97a3b630
  9.472944 10.180.163.196 -> 10.180.163.199 DHCP 370 DHCP Offer    - Transaction ID 0x97a3b630
  9.473153 10.180.163.195 -> 10.180.163.199 DHCP 370 DHCP Offer    - Transaction ID 0x97a3b630
  9.473897 10.180.163.200 -> 10.180.163.203 DHCP 342 DHCP ACK      - Transaction ID 0x97a3b630

看到这里,应该自信满满地相信肯定分配了IP地址203,查看一下client

~# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr fa:16:3e:ab:1d:c3
          inet addr:10.180.163.203  Bcast:10.180.163.255  Mask:255.255.255.240
          inet6 addr: fe80::f816:3eff:feab:1dc3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:790 errors:0 dropped:0 overruns:0 frame:0
          TX packets:515 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:96388 (94.1 KiB)  TX bytes:162776 (158.9 KiB)

看到这里,可以发现,本来IP地址为199的主机,硬生生地被我搭建的DHCP服务器200分配了一个本不应该的IP地址203(201~203范围)
更有趣的是,就算被欺骗的VM2重启机器,会发现,多试几次依旧是可能被虚假DHCP服务器分配的IP地址203

root@test-spoofing-1:~# reboot

The system is going down for reboot NOW!t-spoofing-1 (pts/1) (Thu Oct 15 19:2
root@test-spoofing-1:~# Connection to 10.180.156.10 closed by remote host.
Connection to 10.180.156.10 closed.

~/server on  master! ⌚ 19:23:05
$ ssh -i dev.private root@10.180.156.10
Linux test-spoofing-1 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct 15 19:23:47 2015 from 10.180.158.2
root@test-spoofing-1:~# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr fa:16:3e:ab:1d:c3
          inet addr:10.180.163.203  Bcast:10.180.163.255  Mask:255.255.255.240
          inet6 addr: fe80::f816:3eff:feab:1dc3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:49 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4136 (4.0 KiB)  TX bytes:1172 (1.1 KiB)
 

发表回复