DHCP

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on TCP/IP networks. where by a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks. A DHCP server enables computers to request IP addresses and networking parameters automatically from the Internet service provider (ISP), reducing the need for a network administrator or a user to manually assign IP addresses to all network devices. In the absence of a DHCP server, a computer or other device on the network needs to be manually assigned an IP address.

The DHCP runs on UDP ports 66 & 67 and allows for automatic IP configuration of many different parameters (called "Options") in addition to the requested IP address, including:

1. Subnet Mask 
2. Router Address 
3. DNS Address 
4. Vendor Class Identifier 

DHCP is based on a client-server model. A Host running a DHCP client (e.g., laptop) forwards Layer-2 Broadcast frames with its Source MAC address in order for the DHCP server to reserve the offered IP address for the respective DHCP client.

1. Discovery - DHCP host broadcasts to find local DHCP server
2. Offer - DHCP server advertises address lease via unicast
3. Request - DHCP host broadcasts requesting the address
4. ACK - DHCP server reserves the address, sending acknowledgment

*We are gonna see only 2 types of attacks exploiting DCHP. 

ACK Injection

ACK injection consists of an attacker monitoring a DHCP conversation between the DHCP server and a potential network node, and at some point during the conversation, sending a packet to interfere with the conversation. By controlling the DHCP process, the attacker controls the association between the IP address and MAC address of the sheep device - an alternative attack to ARP Poisoning with the same end.

In computer networking, DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure.

When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to prevent malicious or malformed DHCP traffic, or rogue DHCP servers. In addition, information on hosts which have successfully completed a DHCP transaction is accrued in a database of "bindings" which may then be used by other security or accounting features.

Other features may use DHCP snooping database information to ensure IP integrity on a Layer 2 switched domain. This information enables a network to:

• Track the physical location of IP addresses when combined with AAA accounting or SNMP.
• Ensure that hosts only use the IP addresses assigned to them when combined with source-guard a.k.a source-lockdown.
• Sanitize ARP requests when combined with arp-inspection a.k.a arp-protect