Customized DHCP servers for added security.

[Vector]

Hey guys, not exactly a thread to do with the exploitation of networks, however it has to do with security of a  more personal and 'blue team' kind of nature.

What i am trying to achieve is have two network interfaces, say eth0 and eth1, eth0 connects to the DHCP server my router provides but i want to eth1 to connect to a DHCP server i set up locally.

DHCP servers are interesting from an OPSEC perspective. A lot of implementations allow the user to configure more than simple IP leases. 

My custom DHCP server would refer to a PAC/WPAD server that will provide a PAC script, a PAC script is a script for automating proxy management.

A typical PAC script might look like this. If you are familiar with JavaScript you might recognize the syntax.

Code:

function FindProxyForURL(url, host) {

// If the hostname matches, send direct.
if (dnsDomainIs(host, "intranet.domain.com") ||
shExpMatch(host, "(*.abcdomain.com|abcdomain.com)"))
return "DIRECT";

// If the protocol or URL matches, send direct.
if (url.substring(0, 4)=="ftp:" ||
shExpMatch(url, "http://abcdomain.com/folder/*"))
return "DIRECT";

// If the requested website is hosted within the internal network, send direct.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";

// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "10.10.5.0", "255.255.255.0"))
return "PROXY 1.2.3.4:8080";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 4.5.6.7:8080; PROXY 7.8.9.10:8080";

Now say i would want the PAC script to govern which web resources get connected to via a proxy i would add an entry in my DHCP config file that refers to the server i set up to provide the PAC script. These entries might look like this.

Code:

option local-pac-server code 252 = text;
option local-pac-server “http://wpad.example.com:80/wpad.dat”;

So far so good, i know how to configure a DHCP server. However i am unsure as to how to set up an interface that uses the DHCP server i set up locally. I've been reading man pages and online resources since getting better at networking is really something i am quite keen on anyway. However the answer still eludes me.

I am not a networking expert so i apologize in advance if the answer might seem obvious to you, but i would appreciate any help, insight or tips you may be able to provide with regards to this.


Thanks guys.

[Insider]

Hm, that's an interesting idea. But why do two interfaces? Why not just hijack/spoof the first interface to your own DHCP? I'm not too keen on networking as of yet. But I can't see how the workstation would work using two different interfaces and two different DHCP servers at the same time. Wouldn't they conflic with each other? I feel it would be more logical for your evil DHCP to replace the other.

As of interaces, maybe you can set up a virtual interface? Like maybe https://access.redhat.com/documentation/...ython.html

Very interesting project idea, might read up some more about this myself.

[Vector]

Hm, that's an interesting idea. But why do two interfaces? Why not just hijack/spoof the first interface to your own DHCP? I'm not too keen on networking as of yet. But I can't see how the workstation would work using two different interfaces and two different DHCP servers at the same time. Wouldn't they conflic with each other? I feel it would be more logical for your evil DHCP to replace the other.

As of interaces, maybe you can set up a virtual interface? Like maybe https://access.redhat.com/documentation/...ython.html

Very interesting project idea, might read up some more about this myself.

It's not a matter of using two interfaces at the same time. If eth0 is up then eth1 is down and vice versa. eth0 is default, it always uses the DHCP my router provides and is vanilla as far as configuration is concerned.

eth1 on the other hand would instead of connecting to my router for it's DHCP server, it would connect to one that i set up locally and is started at the same time i switch to the interface in question.

The point is to be able to switch between interfaces, so i can turn on OPSEC mode by switching to eth1, and turn it off again by switching to eth0.

[MuddyBucket]

I might be missing something...

But you should not have 2 DHCP services running on the same network segment. With the exception of redundancy. DHCP is by nature a broadcast service. Your device sends out a broadcast and says "who can give me an IP?". A DHCP service says "here, you can use one of mine".

This gets all fuddled up when there are multiple DHCP services on the same network. they both respond to the request. To my knowledge there is no way to say eth0, use 192.168.1.1 as your dhcp server, eth1 use 192.168.1.10 as your dhcp server. You'd likely need to do that for every computer on your network so they don't get confused, which defeats the purpose of DHCP in the first place.

You can however define different gateways for each interface. So you can say eth0, use gateway 192.168.1.1, and eth1 you use 192.168.10.1 as your gateway. Each of those networks can then have their own individual DHCP servers. eth0 will get an IP from the DHCP server on the 192.168.1.1 network, and eth1 will get an IP from the 192.168.10.1 network.

Does that make sense? I mean setting up different networks for each interface will still accomplish what you want to do.