Today I’m going to show you something dangerous.
Really dangerous.
I once heard an alarming statistics that something like 90% of US based companies aren’t running port-security.
Starving kicks you out of the bed when you are trying to sleep. XML Word Printable. Type: Bug Status: Resolved. Resolution: Duplicate. Mac' LeVitus has been a Macintosh user for a long, long time and has written 49 computer books including Mac OS X Tiger For Dummies and GarageBand for Dummies. He also offers expert. Version 2.1 works with Mac OS 8.5 or higher. A Mac OS X version is in the works and should be out later this year, Susan Simmons, eZedia vice president of marketing, told MacCentral. On Mac we were testing the issue on a laptop and the lag in the timer during mouse movement seems more obvious (e.g. The timer can be delay by seconds) when the battery is low (around 20%) and the laptop is unplugged. Not sure if there is any power saving features on Mac that might have caused the issue. Like its Mac OS counterpart, FinSpy for Linux is also obfuscated using LLVM-Obfuscator. The udev2 installer then checks that the system is not a virtual machine, extracts files from itself and stores them in a hidden folder in the user’s home, such as at /.cache/.cfg or /.local/.apps.
Why does this matter?
Well, today I’m going to show you how to launch a DHCP starvation attack that will literally bring a Cisco router or switch to it’s knees.
- I’ll exhaust all the usable IP addresses on the subnet which prevents anyone from using the network
- I’ll completely disable the management plane so IT admins can’t console or SSH into the beleaguered device
- I won’t take the next step, but the next logical step would be to insert myself as a rogue DHCP server which would allow me to covertly capture and steal all data on the local subnet.
Yeah, this is bad. And the sad part is that it can prevented with one little Cisco command. Unfortunately, most organizations continue to ignore it and that’s why this is dangerous.
Going back to Kali
We’re going to use Kali Linux with Yersinia to launch a DHCP starvation attack on a Cisco router running as a DHCP server. I strongly suggest that you read my three part series on installing Kali Linux before you get started. I also suggest you check out the article I wrote on how DHCP works. Once you’ve got those things under your belt we can focus on committing network fracas.
Let the fracas begin
So I went ahead and setup a DHCP server on my router. Let’s take a look a few things first.
Let’s look at all the hosts that are currently leasing IP addresses from our server.
Now on a real network you would see dozens of MAC-to-IP bindings; however, I’ve got this thing going in my lab so the only binding present is the IP address of my Kali Linux machine.
Let’s look at few more things here:
This is a great command to quickly assess the health of your DHCP router. The relevant values for us are:
- Memory Usage
- DHCPDISCOVER
- DHCPOFFER
How Yersinia works
The reason I point out those three values is because the DHCP starvation attack will inundate the router with hundreds of thousands of DHCPOFFER frames which contain unique spoofed MAC addresses. Yersinia floods the router with more DHCPDISCOVERs than it can handle. We effecitlye launch a denial of service (DoS) attack against the router. The server faithfully tries to reply with a DHCPOFFER; however, given the voluminous number of DHCPOFFER frames the entire DHCP scope is exhausted and all useable IP addresses on the subnet will be consumed by fake devices using bogus MAC addresses.
How sinister.
This is actually a cruel attack because it’s so crude and damaging. It’s so easy to do this. A DHCP starvation attack is an egregious attack because you don’t even need to know anything about networking to do it.
Before we get started let me show you one more thing:
This command shows us the DHCP pool of addresses available for lease.
You can see the Total addresses attribute is set to 254. This means all we really need to do is flood the server with one more than the maximum; however, as you’re about to see, I’m about to destroy the server with thousands of frames.
A Starving Monk Mac Os 11
It’s about to get ugly.
Launching the DHCP Starvation Attack
Back in Kali Linux, we’re going to use Yersinia to digitally bomb the router.
Let’s see what we can do here…
Okay the usage line says we can type yersinia -G to launch the program in Graphical mode. Let’s do that.
When the GUI opens we instantly see a bunch of statistics in the left pane for the Cisco Discovery Protocol (CDP), 802.1Q (Trunking) and a bunch of others.
Click the DHCP tab then choose Launch attack in the upper left corner.
Select sending DISCOVER packet, click OK, and take a nap. The router will be offline in a few seconds.
It’s really that easy to destroy the local subnet.
I mean, look back in the left pane!
It’s only been running for 10 seconds and I’ve already swamped the feeble address space with over 180,000 spoofed DHCP Discover frames!
The poor router can barely keep up.
Let’s see the DHCP bindings again
Is this nuts or what?
You can see the entire address space is consumed. Yersinia poured tens of thousands of bogus frames into the server and completely exhausted the DHCP pool.
A Starving Monk Mac Os Sierra
Now if someone tries to uses the network it will fail. No one will be able to use browse the internet, access corporate databases or exchange email because there are no unassigned IP addresses to dish out.
A Starving Monk Mac Os 11
Furthermore, the management plane is completely destroyed. That is, our ability to login and manage the router is gone.
A few seconds later, I tried to type the show ip dhcp bind command but the router was completely locked up. After a minute, it returned by the database is destroyed.
Neither show ip dhcp bind nor show ip dhcp server stat do anything. The router is so busy drowning in the packet deluge that it can’t even execute our basic commands to show the memory usage.
The Bottom Line
Seriously that’s the bottom line. This one command will instantly limit the maximum number of MAC addresses on a switchport (or range of switchports) to 1.
Think about it.
Yersinia is effective because it sends thousands of fake MAC addresses through a single switchport but why do we ever need to allow more than one MAC address on a switchport?
I can think of a few exceptions:
- Your IT staff is testing something in a lab. Perhaps they have multiple virtual machines that need to communicate on the internet through the switchport. Each VM would have its own MAC address so you might need to lift the 1 MAC address limit for your team.
- If you have a legacy network connected through a hub you might need to lift the MAC limit to the number of hosts on that collision domain. So if you have 5 hosts plugged into that hub you might want to change the MAC limit to 5.
- Or maybe you have computers plugged into VoIP phones and you need to permit the MAC addresses of the workstation and VoIP phones. You could change the limit to 2. if you have VoIP in your network this could cause it to go down so you can change it accordingly:
There’s often no tangible reason why a switchport should ever allow more than one MAC address on a swichport.
If someone tried to launch Yersinia on a port-security enabled switch, it would immediately put the port in a secure-shutdown state. The port would imdiately turn off which protects the switch and alerts you that some buttmunch on your network is trying to take you down.
If you learned something new hit me up in the comments. Don’t let it happen to you.
Your Mac might be turned on but appear to be turned off, even though it's connected to AC power and a working display. Follow these steps.
- Press and hold the power button on your Mac for at least 10 seconds, then release. If your Mac is turned on, this forces it to turn off.
- If you see no change on your Mac, press and release the power button normally.
- If your Mac now turns on but doesn't finish starting up, follow the steps for when your Mac doesn't start up all the way.
- If your Mac still doesn't turn on, please contact Apple Support.