Discover DHCP clients on a subnet - Page 2

catkin · 07-30-2009, 02:47 AM

Quote:

Originally Posted by crackpipe

What I don't understand is catkin's comment. It seems that if a host is granted DHCP interaction, some port has to be open to allow DHCP, and so it has to be detectable on the LAN. Further, it appears that a malicious squatter on the LAN that did not have an IP assigned by the router would seem to be unable to monitor traffic on the LAN. That is, could a stealth node attach itself to the LAN, not receive an IP, open its NIC to promiscuous mode, sniff all traffic, and take away information? If so, how do we detect such a squatting laptop, in addition to DHCP hosts? Does this make sense?

Of course it must open the necessary ports to get the DHCP lease but it could stealth all ports after that.

Edit:

The second scenario, of simply connecting to the LAN with network adapter in promiscuous mode and sniffing all packets would only be effective if it were not connected to a switch. A switch would only send IP packets associated with the computer's MAC address.

Thus network probes would not find a stealthed computer that had got an IP by DHCP and the stealthed computer would only be detectable by appearance in the DHCP servers lease list or by analysing all traffic looking for traffic to an IP that ought not be in use. To circumvent this, a malicious person could simply configure an IP address without using DHCP, hoping it is unused. Their chances of success would be <number of IP addresses on the LAN used> divided by <number of IP addresses in the LAN range>, probably a little better guessing that local conventions tend to use the top and bottom of the range for particular purposes, e.g servers at the bottom and network devices at the top.

jschiwal · 07-30-2009, 04:40 AM

My home router allows assigning IP addresses to MAC addresses. I used this so that each host always gets the same IP address and so I don't need to re-edit the /etc/hosts file on each host. I found that avahi resolution of hostname.local worked but was way too slow.

One could also use dnsmasq to maintain hostname/ip addresses. It uses it's own /etc/hosts file as the database for dns requests for hosts on the lan. It also includes a dhcp server. This would allow your to maintain a single hosts file.

crackpipe · 07-31-2009, 11:36 AM

Quote:

Originally Posted by catkin

Of course it must open the necessary ports to get the DHCP lease but it could stealth all ports after that.

Thus network probes would not find a stealthed computer that had got an IP by DHCP and the stealthed computer would only be detectable by appearance in the DHCP servers lease list or by analysing all traffic looking for traffic to an IP that ought not be in use. To circumvent this, a malicious person could simply configure an IP address without using DHCP, hoping it is unused. Their chances of success would be <number of IP addresses on the LAN used> divided by <number of IP addresses in the LAN range>, probably a little better guessing that local conventions tend to use the top and bottom of the range for particular purposes, e.g servers at the bottom and network devices at the top.

Thanks. I didn't know a system could grant itself an available IP and effectively join without approval of the router sending it one. It looks like it's a good idea to configure my router to grant/deny IP addresses by MAC, as suggested by jschwial. A script would also be useful. Configure the router to do periodic logging of its clients table, and have the script check these logs to notify me in a terminal if a non-approved MAC is somehow on the clients list? When purchasing new systems or retiring old systems, I can add or remove MACs from an approved MAC list, it appears. Perhaps this will work...hmmm... Also will keep my eyes open here for other solutions; putting a lot of MAC information out there by logging, by an access list in the router, etc., might create vulnerabilities itself, apparently.