DHCP欺骗劫持与防御策略

一、任务目的

掌握DHCP的欺骗原理与DHCP监听配置

二、任务设备、设施

ensp win10 VMware typora win7

三、任务拓扑结构图

四、基本配置

1.接口IP与默认路由配置（在这里同样可以使用ospf，加上反掩码效果一样）

R1

system-view 
[Huawei]sysname R1
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[R1-GigabitEthernet0/0/0]quit 
[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[R1-GigabitEthernet0/0/1]quit 
[R1]rip 1
[R1-rip-1]version 2
[R1-rip-1]network 192.168.1.0
[R1-rip-1]network 192.168.2.0
[R1-rip-1]quit 
[R1]ip route-static 0.0.0.0 0.0.0.0 192.168.2.2
[R1]quit

R2

system-view 
[Huawei]sysname R2
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.2.2 24
[R2-GigabitEthernet0/0/0]quit 
[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]ip address 172.16.1.1 24
[R2-GigabitEthernet0/0/1]quit 
[R2]interface s2/0/0
[R2-Serial2/0/0]ip address 202.116.64.1 24
[R2-Serial2/0/0]quit 
[R2]rip 1
[R2-rip-1]version 2
[R2-rip-1]network 192.168.2.0
[R2-rip-1]network 172.16.0.0
[R2-rip-1]quit 
[R2]ip route-static 0.0.0.0 0.0.0.0 s2/0/0
[R2]

R3

system-view 
[Huawei]sysname R3
[R3]interface g0/0/0
[R3-GigabitEthernet0/0/0]ip address 203.203.100.1 24
[R3-GigabitEthernet0/0/0]quit 
[R3]interface s2/0/0
[R3-Serial2/0/0]ip address 202.116.64.2 24
[R3-Serial2/0/0]quit 
[R3]

2.Easy-IP配置

R2

[R2]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[R2-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255
[R2-acl-basic-2000]rule permit source 172.16.1.0 0.0.0.255
[R2-acl-basic-2000]quit 
[R2]interface s2/0/0
[R2-Serial2/0/0]nat outbound 2000
[R2-Serial2/0/0]quit
[R2]

3.DHCP配置（在这里是给R2开启DHCP服务，给技术部门和工程部门分配IP地址）

R2

[R2]dhcp enable 
[R2]ip pool jishu
[R2-ip-pool-jishu]network 192.168.1.0 mask 24
[R2-ip-pool-jishu]gateway-list 192.168.1.1
[R2-ip-pool-jishu]dns-list 192.168.2.254
[R2-ip-pool-jishu]excluded-ip-address 192.168.1.2 192.168.1.9
[R2-ip-pool-jishu]quit
[R2]ip pool gongcheng
[R2-ip-pool-gongcheng]network 172.16.1.0 mask 24
[R2-ip-pool-gongcheng]gateway-list 172.16.1.1
[R2-ip-pool-gongcheng]dns-list 192.168.2.254
[R2-ip-pool-gongcheng]excluded-ip-address 172.16.1.2 172.16.1.9
[R2-ip-pool-gongcheng]quit
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]dhcp select global 
[R2-GigabitEthernet0/0/0]quit 
[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]dhcp select global
[R2-GigabitEthernet0/0/1]quit 
[R2]

global：选择全局模式下建立的地址池下发IP。网关、DNS等必须在地址池前预先定义

interface：选择当前接口IP段和掩码做为地址池下发，无须手动定义地址池，也无需指定网关与DNS的IP。分配的网关为当前接口IP，DNS必须在接口下配置

R1

[R1]dhcp enable 
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]dhcp select relay 
[R1-GigabitEthernet0/0/0]dhcp relay server-ip 192.168.2.2
[R1-GigabitEthernet0/0/0]quit 
[R1]

4.配置百度服务器HttpServer

5.配置DNS Server

6.基本配置验证

技术部获取IP地址

访问外网百度域名

DNS解析百度域名

我在这里用的是pc进行测试，后续入侵实战会使用虚拟机进行操作

五、入侵实战

将黑客主机、伪造DHCP服务器和DNS服务器分别接入交换机

1.伪造DHCP服务器R4配置

system-view 
[Huawei]sysname R4
[R4]int GigabitEthernet0/0/0
[R4-GigabitEthernet0/0/0]ip add 192.168.1.9 24
[R4-GigabitEthernet0/0/0]quit
[R4]dhcp enable 
[R4]ip pool forged
[R4-ip-pool-forged]network 192.168.1.0 mask 24
[R4-ip-pool-forged]gateway-list 192.168.1.1
[R4-ip-pool-forged]dns-list 192.168.1.8
[R4-ip-pool-forged]quit
[R4]int GigabitEthernet 0/0/0
[R4-GigabitEthernet0/0/0]dhcp select global 
[R4-GigabitEthernet0/0/0]quit
[R4]

2.伪造DNS服务器配置

3.黑客主机配置

插入页面

发布Web伪造站点

4.入侵验证

六、防御策略

开启SW1的DHCP监听，添加信任端口

SW1

system-view 	
[Huawei]sysname SW1
[SW1]dhcp enable 
[SW1]dhcp snooping enable 
[SW1]dhcp snooping enable vlan 1
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]dhcp snooping trusted 
[SW1-GigabitEthernet0/0/3]quit

任务验证

七、任务总结

• 攻击原理是利用了DHCP Server和DHCP Cilent之间没有验证的机制，是由广播的方式进行交互，所以攻击者利用了这个漏洞伪造DHCP Server实现流量窃取
• 攻击方式是伪造DHCP Server分配主机IP，并伪造信息提供给被攻击的主机，实现将被攻击者主机访问的站点未造成攻击者的主机，只要被攻击者访问之后就会下载攻击者提前准备好的木马并执行
• 防御方式是在交换机上配置DHCP监听，配置信任端口，只有信任的数据包才会进行接收，这样攻击者即使伪造了数据包也不会被接收
• DHCP欺骗劫持不属于病毒木马，不能通过安装防病