Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
1
Replies

Simulating a Rogue DCHP server

blue phoenix
Level 1
Level 1

‎10-06-2016 03:59 AM - edited ‎03-08-2019 07:42 AM

Hi, I have implemented this scenario wherein the DHCP server is 3 router's away or 3 hops away from the access layer switches. I have connected two cisco routers on the access switches that emulates PC1 and Rogue DHCP server in that order.

I have shutdown the ports on the true DHCP server.

The SVI on the access switch is configured with ip helper-address [ip address of DHCP server].

I have enabled debug dhcp detail on the 2 cisco routers(PCI and Rogue DHCP server). It seems that the PC1 can't see the Rogue DHCP server. Might this be an IOU software bug? I have reloaded my VMware number of tmes and started it back up but still the PC can't get an IP on the Rogue DHCP server. I have not yet enabled spoofing so the Rogue DHCP server should get it....

debug on client: MKTG1#!!!!!! *Mar 1 00:31:03.091: DHCP: SDiscover attempt # 2 for entry: *Mar 1 00:31:03.095: Temp IP addr: 0.0.0.0 for peer on Interface: Ethernet0 *Mar 1 00:31:03.095: Temp sub net mask: 0.0.0.0 *Mar 1 00:31:03.095: DHCP Lease server: 0.0.0.0, state: 1 Selecting *Mar 1 00:31:03.095: DHCP transaction id: 710 *Mar 1 00:31:03.095: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs *Mar 1 00:31:03.095: Next timer fires after: 00:00:04 *Mar 1 00:31:03.095: Retry count: 2 Client-ID: cisco-d00c.1c4b.0001-Et0 *Mar 1 00:31:03.095: Client-ID hex dump: 636973636F2D643030632E316334622E *Mar 1 00:31:03.095: 303030312D457430

debug on Rogue DHCP server: ROGUEDHCP#!! *Mar 1 00:31:08.155: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d64.3030.632e.3163.3462.2e30.3030.312d.4574.30 on interface Ethernet0.

Here is the topology I made...

http://imgur.com/a/Zssks

Labels:
Preview file
207 KB
0 Helpful
1 Reply 1

Milos Megis
Level 3
Level 3

‎10-07-2016 01:51 AM

Maybe I didn´t understand it correctly. But...

Do you have rogue DHCP server on same broadcast domain as PC - victim of attack ?

Because PC send broadcast which rogue DHCP server can catch. But traffic from router where is helper-address configured to real DHCP server is sent by unicast.

So it will work only if rogue DHCP server will be on same broadcast domain as PC which should be victim.

0 Helpful
Customers Also Viewed These Support Documents