DHCP欺骗劫持与防御策略
一、任务目的
掌握DHCP的欺骗原理与DHCP监听配置
二、任务设备、设施
ensp win10 VMware typora win7
三、任务拓扑结构图
四、基本配置
1.接口IP与默认路由配置(在这里同样可以使用ospf,加上反掩码效果一样)
R1
system-view
[Huawei]sysname R1
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[R1-GigabitEthernet0/0/0]quit
[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[R1-GigabitEthernet0/0/1]quit
[R1]rip 1
[R1-rip-1]version 2
[R1-rip-1]network 192.168.1.0
[R1-rip-1]network 192.168.2.0
[R1-rip-1]quit
[R1]ip route-static 0.0.0.0 0.0.0.0 192.168.2.2
[R1]quit
R2
system-view
[Huawei]sysname R2
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.2.2 24
[R2-GigabitEthernet0/0/0]quit
[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]ip address 172.16.1.1 24
[R2-GigabitEthernet0/0/1]quit
[R2]interface s2/0/0
[R2-Serial2/0/0]ip address 202.116.64.1 24
[R2-Serial2/0/0]quit
[R2]rip 1
[R2-rip-1]version 2
[R2-rip-1]network 192.168.2.0
[R2-rip-1]network 172.16.0.0
[R2-rip-1]quit
[R2]ip route-static 0.0.0.0 0.0.0.0 s2/0/0
[R2]
R3
system-view
[Huawei]sysname R3
[R3]interface g0/0/0
[R3-GigabitEthernet0/0/0]ip address 203.203.100.1 24
[R3-GigabitEthernet0/0/0]quit
[R3]interface s2/0/0
[R3-Serial2/0/0]ip address 202.116.64.2 24
[R3-Serial2/0/0]quit
[R3]
2.Easy-IP配置
R2
[R2]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[R2-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255
[R2-acl-basic-2000]rule permit source 172.16.1.0 0.0.0.255
[R2-acl-basic-2000]quit
[R2]interface s2/0/0
[R2-Serial2/0/0]nat outbound 2000
[R2-Serial2/0/0]quit
[R2]
3.DHCP配置(在这里是给R2开启DHCP服务,给技术部门和工程部门分配IP地址)
R2
[R2]dhcp enable
[R2]ip pool jishu
[R2-ip-pool-jishu]network 192.168.1.0 mask 24
[R2-ip-pool-jishu]gateway-list 192.168.1.1
[R2-ip-pool-jishu]dns-list 192.168.2.254
[R2-ip-pool-jishu]excluded-ip-address 192.168.1.2 192.168.1.9
[R2-ip-pool-jishu]quit
[R2]ip pool gongcheng
[R2-ip-pool-gongcheng]network 172.16.1.0 mask 24
[R2-ip-pool-gongcheng]gateway-list 172.16.1.1
[R2-ip-pool-gongcheng]dns-list 192.168.2.254
[R2-ip-pool-gongcheng]excluded-ip-address 172.16.1.2 172.16.1.9
[R2-ip-pool-gongcheng]quit
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]dhcp select global
[R2-GigabitEthernet0/0/0]quit
[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]dhcp select global
[R2-GigabitEthernet0/0/1]quit
[R2]
global:选择全局模式下建立的地址池下发IP。网关、DNS等必须在地址池前预先定义
interface:选择当前接口IP段和掩码做为地址池下发,无须手动定义地址池,也无需指定网关与DNS的IP。分配的网关为当前接口IP,DNS必须在接口下配置
R1
[R1]dhcp enable
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]dhcp select relay
[R1-GigabitEthernet0/0/0]dhcp relay server-ip 192.168.2.2
[R1-GigabitEthernet0/0/0]quit
[R1]
4.配置百度服务器HttpServer
5.配置DNS Server
6.基本配置验证
技术部获取IP地址
访问外网百度域名
DNS解析百度域名
我在这里用的是pc进行测试,后续入侵实战会使用虚拟机进行操作
五、入侵实战
将黑客主机、伪造DHCP服务器和DNS服务器分别接入交换机
1.伪造DHCP服务器R4配置
system-view
[Huawei]sysname R4
[R4]int GigabitEthernet0/0/0
[R4-GigabitEthernet0/0/0]ip add 192.168.1.9 24
[R4-GigabitEthernet0/0/0]quit
[R4]dhcp enable
[R4]ip pool forged
[R4-ip-pool-forged]network 192.168.1.0 mask 24
[R4-ip-pool-forged]gateway-list 192.168.1.1
[R4-ip-pool-forged]dns-list 192.168.1.8
[R4-ip-pool-forged]quit
[R4]int GigabitEthernet 0/0/0
[R4-GigabitEthernet0/0/0]dhcp select global
[R4-GigabitEthernet0/0/0]quit
[R4]
2.伪造DNS服务器配置
3.黑客主机配置
插入页面
发布Web伪造站点
4.入侵验证
六、防御策略
开启SW1的DHCP监听,添加信任端口
SW1
system-view
[Huawei]sysname SW1
[SW1]dhcp enable
[SW1]dhcp snooping enable
[SW1]dhcp snooping enable vlan 1
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]dhcp snooping trusted
[SW1-GigabitEthernet0/0/3]quit
任务验证
七、任务总结
- 攻击原理是利用了DHCP Server和DHCP Cilent之间没有验证的机制,是由广播的方式进行交互,所以攻击者利用了这个漏洞伪造DHCP Server实现流量窃取
- 攻击方式是伪造DHCP Server分配主机IP,并伪造信息提供给被攻击的主机,实现将被攻击者主机访问的站点未造成攻击者的主机,只要被攻击者访问之后就会下载攻击者提前准备好的木马并执行
- 防御方式是在交换机上配置DHCP监听,配置信任端口,只有信任的数据包才会进行接收,这样攻击者即使伪造了数据包也不会被接收
- DHCP欺骗劫持不属于病毒木马,不能通过安装防病